b'     April 30, 2005\n\n\n\n\nInformation Technology\nManagement\n\nReport on Standard Finance System Controls\nPlaced in Operation and Tests of Operating\nEffectiveness for the Period October 1, 2004\nthrough March 31, 2005 (D-2005-059)\n\n\n\n\n                   Department of Defense\n               Office of the Inspector General\n\n                                      Constitution of\n                                     the United States\n\n       A Regular Statement of Account of thei Receipts and Expenditures of all public\n       Money shall be published from time to time.\n                                                                Article I, Section 9\n\x0c\x0cTable of Contents\n\nForeword                                                                              i\n\nSection I\n      Independent Service Auditors\xe2\x80\x99 Report                                            1\n\nSection II\n      Information Provided by DFAS and DISA                                           9\n\n            Overview of Operations                                                    9\n\n            Relevant Aspects of the Control Environment, Risk Assessments, and\n            Monitoring                                                               11\n\n               Control Environment                                                   11\n               Risk Assessments                                                      16\n               Monitoring                                                            17\n\n            Information and Communication                                            19\n\n            Control Objectives and Related Control Activities                        29\n\n            User Organization Control Considerations                                 30\n\nSection III\n      Control Objectives, Control Activities, and Tests of Operating Effectiveness   33\n\n            Scope Limitations                                                        33\n\n            Control Deficiencies                                                     33\n\n            Control Objectives, Control Activities, and Tests of Operating\n            Effectiveness                                                            34\n\n               General Computer Controls\n                  Security Program (SP)                                              34\n                  Access Control (AC)\n                       Logical Security                                              46\n                       Physical Security                                             60\n                       Computer Operations                                           63\n                  Change Control (CC)                                                67\n                  System Software (SS)                                               78\n                  Service Continuity (SC)\n                       Backup and Recovery                                           83\n\x0c                    Physical Computer Asset Protection    85\n\n             Application Controls\n                Authorization (AN)                         87\n                Completeness (CP)                          97\n                Accuracy (AY)                             101\n                Integrity (IN)                            109\n\n\nSection IV\n     Supplemental Information Provided by DFAS and DISA   125\n\n        Continuity of Operations Planning                 125\n\n\nAcronyms and Abbreviations                                127\n\nReport Distribution                                       129\n\x0c                                          FOREWORD\n\nThis report is intended for the use of DFAS and DISA management, its user organizations, and\nthe independent auditors of its user organizations. Department of Defense personnel who\nmanage and use the Standard Finance System (STANFINS) will also find this report of interest\nas it contains information about STANFINS general and application controls.\n\nThe IG DoD is implementing a long-range strategy to conduct audits of DoD financial\nstatements. The Chief Financial Officer\xe2\x80\x99s Act of 1990 (P.L. 101-576), as amended, mandates that\nagencies prepare and conduct audits of financial statements. The reliability of information in\nSTANFINS directly impacts DoD\xe2\x80\x99s ability to produce reliable, and ultimately auditable,\nfinancial statements; which is key to achieving the goals of the Chief Financial Officer\xe2\x80\x99s Act.\n\nSTANFINS is a general fund accounting system developed to support day-to-day operations of\nU.S. Army and National Guard installations world-wide, as well as the Defense Commissary\nAgency. Other DoD agencies receive trial balance data from STANFINS for use in preparing\ntheir financial statements. STANFINS provides support for fund and obligation control, budget\nexecution and expenditure accounting, reimbursable accounting, miscellaneous accounting\n(disbursements and collections), general ledger control, and financial reporting. In FY 2003,\nSTANFINS processed more than $300 billion of general fund transactions.\n\nThis audit assessed controls over the STANFINS processing of the $300 billion of transactions at\nDFAS and DISA. This report provides an opinion on the fairness of presentation, the adequacy\nof design, and the operating effectiveness of key controls that are relevant to audits of user\norganization financial statements. As a result, this audit precludes the need for multiple audits of\nSTANFINS controls previously performed by user organizations to plan or conduct financial\nstatement and performance audits. This audit will also provide, in a separate audit report,\nrecommendations to management for correction of identified control deficiencies. Effective\ninternal control is critical to achieving reliable information for all management reporting and\ndecision making purposes.\n\nA selection process is underway to replace STANFINS with the General Fund Enterprise\nBusiness System (GFEBS). However, based on the status of the GFEBS procurement effort, it is\nnot likely that GFEBS will replace STANFINS until after FY 2007. This audit will assist in\nensuring that STANFINS provides reliable information to management in the interim and, when\nGFEBS does come on line, ensuring that only valid data is migrated to the new system.\n\n\n\n\n                                                 i\n\x0cSection I: Independent Service Auditors\xe2\x80\x99 Report\n\n\n\n\n                       1\n\x0c2\n\x0c\x0c\xe2\x80\xa2   Reviews to confirm that STANFINS transaction processing or master file updates were successfully\n    completed, and that source documents were correctly entered into the STANFINS Terminal\n    Application Processing System (TAPS).\nAdditionally, the STANFINS General Fund and Inquiry (AVK087) report, relied on by users to identify\naccounting issues such as Negative Unliquidated Obligations (NULOs) and problem disbursements,\nreported accounting issues only when automated edit checks first identified and reported the error. Issues\nwere not reported on subsequent reports regardless of whether corrective actions were taken. This\ncondition increased the risk that issues not addressed on the day of first reporting would not be addressed\nand would ultimately result in misstatements of financial information.\nIn our opinion, the accompanying description of the aforementioned controls presents fairly, in all\nmaterial respects, the relevant aspects of DFAS and DISA controls that had been placed in operation as of\nMarch 31, 2005. Also, in our opinion, except for the deficiencies referred to in the preceding paragraph,\nthe controls, as described, are suitably designed to provide reasonable assurance that the specified control\nobjectives would be achieved if the described controls were complied with satisfactorily.\nKey logical security controls were ineffectively operating and, in some cases, not implemented during a\npart or all of the examination period. Specifically:\n\xe2\x80\xa2   During testing, DFAS field sites were unable to generate STANFINS and TAPS user access lists\n    directly from the security system, which prevented effective STANFINS logical access\n    administration. Also, controls related to the authorization of logical access to the STANFINS\n    application and General Support System (GSS) were inconsistently applied. Specifically, user access\n    forms, including management authorization for user access, were inconsistently documented. User\n    access recertifications were inconsistently performed across DISA and DFAS locations and, as a\n    result, duplicate accounts, inactive accounts, accounts belonging to separated employees, and\n    accounts with excessive access were identified across all STANFINS Army Standard Information\n    Management System (ASIMS) domains.\n\xe2\x80\xa2   Technical control configurations restricting access to the STANFINS application and GSS did not\n    comply with DoD requirements. Specifically, minimum password length, complexity requirements,\n    and reuse restrictions and automated checking to verify the authority of users to submit batch jobs\n    contained configured settings that did not comply with DISA policy. Remote access to the DISA\n    Defense Enterprise Computing Center (DECC) mainframe located in St. Louis, Missouri, via telnet\n    was not restricted or secured with encryption.\n\xe2\x80\xa2   Audit logging, monitoring, and follow-up were conducted inconsistently and were undocumented for\n    three months of the six-month examination period. Specifically, audit logs were not created for the\n    use of sensitive system utilities on the STANFINS domains secured by Computer Associates (CA)\n    Access Control Facility 2 (ACF2) security software. Logs that detail activities of remote user\n    sessions were not maintained or reviewed. Also, DISA had not segregated monitoring and security\n    administration responsibilities for ACF2 and CA-Top Secret security software.\nThese control deficiencies had the potential to affect the achievement of application control objectives\nrelated to authorization and integrity, as well as the logical security control objective.\nAdditionally, authorizing officials inconsistently signed access forms that granted entrance privileges to\nthe computer room housing the STANFINS mainframe. Individuals were identified who had unnecessary\naccess to the computer room housing the STANFINS mainframe.\nDocumentation of testing, authorization, and communication of STANFINS application changes was\ninconsistently generated and maintained. Additionally, there was no automated application change\nmanagement/version control software in place to maintain a history of changes to STANFINS. These\n\n\n\n                                                     4\n\x0ccontrol deficiencies had the potential to affect the achievement of integrity and application change control\nobjectives.\nDISA had not developed procedures to manage system software changes. The procedures should have\nspecified the personnel responsible for changes, methods to describe system software problems, and\nmeans of testing changes. In addition, the procedures should have provided for impact analyses, change\napprovals, implementation and verification procedures, and documentation requirements. System\nsoftware change documentation did not always include detailed information about the change, to include\ntesting results or impact analyses. These control deficiencies had the potential to affect the achievement\nof the computer operations and integrity control objectives, as well as the system software control\nobjective.\nAs discussed in the accompanying control descriptions, key computer operations controls were\nineffectively operating and, in some cases, not implemented during a part or all of the examination period.\nSpecifically:\n\xe2\x80\xa2   At DECC St Louis, Missouri, user access to Control-M (a mainframe job scheduling utility) was\n    excessive based on segregation of duties principles.\n\xe2\x80\xa2   One DFAS site responsible for production administration had not documented production scheduling\n    procedures. The site lacked procedures for scheduling and monitoring production jobs and handling\n    job failures.\n\xe2\x80\xa2   Two of three DFAS sites responsible for production administration did not have documented\n    procedures for job schedule changes.\nIn addition to the procedures we considered necessary to render our opinion as expressed in the previous\nparagraph, we applied tests to specific controls, listed in section III, to obtain evidence about their\neffectiveness in meeting control objectives, described in section III, during the period from\nOctober 1, 2004 to March 31, 2005. The specific controls and the nature, timing, extent, and results of\nthe tests are listed in section III. This information has been provided to user organizations of DFAS and\nDISA and to their auditors to be taken into consideration, along with information about the internal\ncontrol of user organizations, when making assessments of control risk for user organizations. In our\nopinion, except for the deficiencies listed in the preceding paragraphs, the controls that were tested, as\ndescribed in section III, were operating with sufficient effectiveness to provide reasonable, but not\nabsolute, assurance that the control objectives specified in section III were achieved during the period\nfrom October 1, 2004 to March 31, 2005; however, the scope of our engagement did not include tests to\ndetermine whether control objectives not listed in section III were achieved; accordingly, we express no\nopinion on the achievement of control objectives not listed in section III.\nThe relative effectiveness and significance of specific controls at DFAS and DISA and their effect on\nassessments of control risk at user organizations are dependent on their interaction with the controls and\nother factors present at individual user organizations. We performed no procedures to evaluate the\neffectiveness of controls at individual user organizations.\nThe description of controls at DFAS and DISA is as of March 31, 2005, and the information about tests of\nthe operating effectiveness of specific controls covers the period from October 1, 2004 to\nMarch 31, 2005. Any projection of such information to the future is subject to the risk that, because of\nchange, the description may no longer portray the controls in existence. The potential effectiveness of\nspecific controls at DFAS and DISA is subject to inherent limitations and, accordingly, errors or fraud\nmay occur and not be detected. Furthermore, the projection of any conclusions, based on our findings, to\nfuture periods is subject to the risk that changes made to the system or controls, or the failure to make\nneeded changes to the system or controls, may alter the validity of such conclusions.\n\n\n\n\n                                                     5\n\x0c\x0cSection II: Information Provided by DFAS and DISA\n\n\n\n\n                        7\n\x0c8\n\x0cII. Information Provided by DFAS and DISA\nA. OVERVIEW OF OPERATIONS\n\nDepartment of Defense\n\nThe Department of Defense (DoD) is the cabinet-level agency responsible for establishing and\nadministering defense initiatives and strategy for the United States. DoD employs approximately two\nmillion military and civilian individuals and has an annual revenue/operating budget of $371 billion.\n\nThe DoD organization structure is arranged such that the Joint Chiefs of Staff, DoD OIG, Office of the\nSecretary of Defense, and each of the military branches report to the Secretary of Defense and Under\nSecretary of Defense.\n\nDefense Finance and Accounting Service\n\nThe DFAS mission is to provide responsive, professional finance and accounting services for the DoD.\nThe Director of DFAS reports to the Under Secretary of Defense Comptroller/Chief Financial Officer\n(USD(C)/CFO). DFAS is organized underneath the Office of the Secretary of Defense and is responsible\nfor the proper accounting of resources within DoD. DFAS is organized such that the Director and Deputy\nDirector of DFAS oversee operations carried out as depicted below:\n\n                                                          Director/\n                                                       Deputy Director\n\n\n                           Military &                                                          CFO/\n         Client                               Commercial Pay         Accounting                               Chief Information\n                          Civilian Pay                                                       Corporate\n       Executives                                Services             Services                                Officer\n                           Services                                                          Resources\n\n\n\n                    AMO/DAE                               Plans &                 Internal               General\n                                         Policy                                                                           Chief of Staff\n                                                        Requirements              Review                 Counsel\n\n\n                                                  .\n\n\n\n                                                               STANFINS Program                 Technical Services\n                                                               Management Office                  Organization\n\n\n\n\n                                                                    FIELD SITES\n           CFO \xe2\x80\x93 Chief Financial Officer\n           AMO \xe2\x80\x93 Acquisition Management Organization\n           DAE \xe2\x80\x93 DFAS Acquisition Executive\n                                                                                                  USER BASE\n\n\n\n\nWithin the Accounting Systems Directorate, Installation and Tactical Support Accounting Systems\nOrganization, the Program Management Office (PMO) helps to ensure continued operation of\nSTANFINS in accordance with DoD security and operational requirements. The Technical Services\nOrganization (TSO) is responsible for elements of the technical administration of STANFINS and\nprovides multi-tier system support in coordination with other organizations. The TSO carries out its\n\n                                                                    9\n\x0cresponsibilities for many aspects of system support in coordination with the Centralized Directorate for\nInformation Management (CDOIM), as well as decentralized DOIM organizations servicing other DFAS\nsites. CDOIM and DOIM groups are responsible for the overall management and continuance of the\nSTANFINS computer processing operations. See the Information Systems section (in the Information\nand Communication section) for a detailed description of PMO, TSO, CDOIM, and DOIM organizational\nroles relative to the administration and operation of STANFINS.\n\nDefense Information Systems Agency\n\nDISA is a combat support agency responsible for planning, engineering, acquiring, fielding, and\nsupporting global net-centric (systems with operations distributed across a network) solutions to serve the\nneeds of the President, Vice President, the Secretary of Defense, and other DoD Components, under all\nconditions of peace and war.\n\nDISA performs the following in support of the administration of STANFINS underlying information\ntechnology architecture:\n\n\xe2\x80\xa2   Installation and maintenance of system software, including operating systems, communication\n    networks, and file control software;\n\xe2\x80\xa2   Installation and maintenance of the ASIMS database management software, as well as CA\xe2\x80\x99s Data\n    Query (a Commercial Off-the-Shelf (COTS) software package);\n\xe2\x80\xa2   Administration of system parameter settings available within the ASIMS software, which provides\n    logical access control;\n\xe2\x80\xa2   Restriction of physical access to computer facilities and application programs/data files housed in the\n    facility;\n\xe2\x80\xa2   Backup and contingency planning, including maintenance of off-site processing capabilities and\n    rotational off-site storage of critical files; and\n\xe2\x80\xa2   Logical segregation of major applications from other systems resident on the domain hardware and\n    from unauthorized external users.\n\nBy providing services and fulfilling responsibilities outlined above, DFAS and DISA represent service\norganizations/service organization components that act in concert to provide finance and accounting\nservices supported by information systems and technology to specific DoD user organizations:\n\n\xe2\x80\xa2   Army Posts, Camps and Stations (e.g., Fort Riley, Fort Belvoir)\n\xe2\x80\xa2   Air Force (Security Assistance \xe2\x80\x93 DFAS-Denver)\n\xe2\x80\xa2   Defense Commissary Agency (DeCA) \xe2\x80\x93 Worldwide\n\xe2\x80\xa2   Other Defense Agencies (e.g., Defense Advanced Research Projects Agency (DARPA) and DoDEA)\n\xe2\x80\xa2   DFAS field sites (e.g., Pearl Harbor, HI; San Antonio, TX; Indianapolis, IN; Orlando, FL; Rome, NY;\n    Lawton, OK; Seaside, CA)\n\nDISA\xe2\x80\x99s relationship with DFAS is, itself, a service organization/user organization relationship. DISA\nprovides platform hosting and systems and hardware support services to DFAS, a user/administrator of\nthe STANFINS application resident on the DISA-operated platform; however, for the purposes of the\nStatement on Auditing Standards (SAS) 70 examination (the results of which are reported herein), DISA\nand DFAS are viewed as a combined service organization delivering information systems technology-\nenabled finance and accounting support services, which are in part realized through the STANFINS\napplication and GSS, to a series of user organizations.\n\n\n\n\n                                                    10\n\x0cB. RELEVANT ASPECTS OF THE CONTROL ENVIRONMENT, RISK\n   ASSESSMENTS, AND MONITORING\n\nControl Environment\n\nDefense Finance and Accounting Service\n\nThe structure of the organizations supporting STANFINS provides the overall framework for planning,\ndirecting, and controlling operations. Operations and business functions are segregated into tasks and/or\nstaffs according to job responsibilities. This framework allows STANFINS users to clearly define the\nlines of authority for reporting and communication purposes, and allows employees to focus on the\nbusiness functions of their respective divisions.\n\nAdministrative and user groups are organized by function to maintain an appropriate segregation of\nduties, which promotes checks and balances for key steps in all sensitive functions and meets applicable\nlegal and regulatory requirements. Segregation of duties covers, wherever possible, both employees and\nsupervisors. In general, different individuals perform key steps in completing all major types of financial\ntransactions. These steps include budgeting, preparation of proposals or requisitions, authorization of\ntransactions, certification of funds availability, obligation of funds, recordation of obligations,\ncertification of disbursements (or schedules of disbursements issued by the Treasury Department),\ndisbursement of funds, and financial reporting.\n\nTSO-Indianapolis manages the STANFINS Information Technology (IT) security program, which is\nfocused on assuring that STANFINS\xe2\x80\x99 infrastructure and critical assets are appropriately safeguarded. The\nProgram/System Manager provides overall leadership and helps coordinate policies, procedures, and\nactivities with IT services. The program is administered based on a fundamental philosophy of risk\nmanagement, whereby IT risks are identified, understood, assessed, and mitigated appropriately. This\nplanned approach allows the Information Systems Security Manager (ISSM) to implement appropriate\nprotective measures and helps ensure the privacy, availability, integrity, and security of IT resources (See\nthe Risk Assessments section for more information regarding this process).\n\nSTANFINS senior IT staff, acting under the direction of the ISSM develop and implement Army-wide IT\nsecurity, oversee certification and accreditation of the STANFINS mission essential systems, establish\nand implement the STANFINS-wide Incidence Response Program, to include investigating reported IT\nsecurity incidents, and their appropriate disposition.\n\nDefense Information Systems Agency\n\nOperations\n\nOperations has the responsibility of providing Computing Services core services and meeting customer\nexpectations through professional, consistent operations services and standard implementation of proven\nindustry best practices. The Computing Services Operations Division (CSOD) is responsible for\ncontinual refinement and analysis of operations performance metrics and practices to identify and\nimplement opportunities for improvement in the execution of core operations services and maintaining\nthe integrity of the security posture of the operations environment. The implementation of a strong\ncustomer-focused environment and highly responsive post-deployment support services maintains and\nsupports Computing Services customer relationships. Centralized management of all operating locations\nhelps to ensure that customers receive the same predictable high quality services regardless of processing\nlocation.\n\n\n\n                                                    11\n\x0cComputing Services Operations Division Headquarters\n\nDISA Computing Services Operations is organized in three layers: Policy/Plans at the Headquarters,\ncentralized operations at Headquarter, and the direct operations functions at field operating locations. The\noverall organization is depicted in the following chart.\n\n\n\n\n                         SMCs/\n                                                                Chief, Operations                               Deputy Chief\n                        DECCs/PE                                    Division\n\n                                            HQ Field Liaison\n\n\n\n\n                            SMC                                                                          SMC\n         Operations                                                             SSO                                    Network Operations\n                            OKC                    SSO                                                   Mont\n        Mgmt Branch                                                          Montgomery                                   Branch Chief\n                                               Mechanicsburg\n                             CCC\n                           Oklahoma                                                                   CCC\n                                                                                                   Montgomery\n       Customer Svc                                            Central Staging\n                                                                                                                           Section Chief\n       Mgmt Program\n\n\n                             Policy\n                            Planning                                                    Special Programs\n                            Section                                                         Section\n\n\n\n\n                 Mechanicsburg         Chambersburg            Denver        Oklahoma       Montgomery      Nat\xe2\x80\x99l Capital Region\n\n\n\n\nSMC = Systems Management Center\nDECC= Defense Enterprise Computing Center\nCCC = Central Communications Center\nSSO = Systems Support Office\nPE = Processing Elements\n\n\n\n\nAt the CSOD Headquarters-level, the Chief Operations Officer reports directly to the Principal Director\nfor DISA Computing Services. The Chief of Operations has overall responsibility for issuing operations\nstandards, policies, plans, standard business processes, and standard operations procedures.\nAccomplishing the objectives of the core CSOD function requires extensive interaction with all other\norganizational headquarters elements, senior level customer representatives, and other DISA elements.\n\nNetwork Operations Branch\n\nCurrent Operations is an Headquarters-level function providing a centralized enterprise monitoring\nfunction to provide an enhanced situational awareness posture of the entire Computing Services\noperations environment for senior level management. This function supports the corporate incident\nreporting process that provides details of high impact, high visibility, or high interest incidents throughout\nthe operational environment, as well as providing a liaison function with other key elements of DISA to\n\n                                                                        12\n\x0chelp ensure that DISA elements and DISA CSD maintain mutual awareness of incidents that cross\norganizational boundaries.\n\nSpecial Programs Section \xe2\x80\x93 Application Support and Security\n\nThe Applications Support team serves as Operations representatives on new business proposal teams.\nThey consult with customers to identify and specify system requirements, define systems scope and\nobjectives, and prepare estimates of the operational resources that will be required for sustainment.\nResponsibilities include monitoring, analyzing, and reporting performance metrics, outages, and trends\nfor the production systems associated with assigned functional support areas.\n\nThe Security Team provides Information Assurance guidance and enforces policy. They also provide\ncentralized clearance processing for CSOD personnel security as matrixed support from the Field Security\nOffice (FSO).\n\nOperations Management Branch\n\nThe Operations Management Branch is attached to the Chief of Operations at the Headquarters level.\nThis organization is responsible for policies, procedures, standards, and management oversight for the\nCSOD configuration management process. The Policy/Planning Branch is responsible for the centralized\nchange management process within Computing Services and manages the enterprise Configuration\nControl Board.\n\nThe Operations Management Branch includes centralized technical and program support functions\nimpacting standardization and optimization of the operating site production environments. Denver,\nColorado and Mechanicsburg, Pennsylvania currently support CMS, Capacity Management, and Multiple\nVirtual Storage (MVS) Capacity functions. Specific functions include: capacity management for all\nplatforms, performance management, asset management, inventory management, facilities management,\nassured computing, quality management, and customer service management.\n\nCentral Staging\n\nThe Central Staging Site is also a part of this branch and will perform centralized receipt and staging of\nenterprise assets. The Central Staging Site is responsible for inventory control and asset management for\nall new Computing Services assets.\n\nCentralized Operations\n\nOperations functions providing support services that impact all platforms and customers are organized as\ncentralized operations functions at the Headquarters level. The centralized functional organizations are\nthe System Support Offices and the Production Branch of CSOD.\n\nSystem Support Office (SSO)\n\nMechanicsburg and Montgomery support the SSO functions. SSO Mechanicsburg provides executive\nsoftware standards for OS/390 platforms, chairs the Executive Software Change Control Board, and\nmaintains a software library of all OS/390 products and patches. SSO Mechanicsburg also provides\nconsultation and technical support for special projects impacting the OS/390 environment and a help desk\nfunction that acts as a liaison for operating locations needing technical assistance from vendors whose\nproducts the DISA CSD Central Maintenance contract supports. SSO Montgomery provides similar\nexecutive software support functions for the Unisys and Open Systems environments and maintains a\n\n\n                                                    13\n\x0clibrary of software for these platforms. The SSO supported Software Factory provides an online\nmechanism for the software release process. SSO Montgomery also provides a release process for\ndistribution of physical media.\n\nCentral Communications Centers (CCCs)\n\nThe CCCs are located at two of the Systems Management Centers (SMCs). The CCCs provide\ngeographically diverse coverage to support the technical network infrastructure operations functions.\n\nSystems Management Centers/Defense Enterprise Computing Centers (SMC/DECCs)\n\nProduction Operations incorporates the field operations functions directly supporting customer\nrequirements. Four SMC locations and four production sites support Production Operations. The SMC\nlocations include production operations as well as the technical support and standardized customer\nsupport functions for the enterprise. The four production sites provide facilities and touch labor, but one\nof the SMC locations remotely provides technical support and customer support functions for systems\nresiding at these production sites.\n\nSMC operating facilities are located at four production operations sites. Two SMCs support OS/390\nprocessing, two support UNISYS processing, and all four sites support server workload. Each SMC\nprovides both production processing and technical support for the applicable operating system platforms.\nTwo SMCs also have a Central Communications Center providing technical network management for all\nproduction sites. Each SMC provides customer support services focused on specific customer groups.\nThe primary customer support groups are the Navy, Marine Corps, Air Force, Army, DFAS, Defense\nLogistics Agency (DLA), and Military Health Services (MHS).\n\n\n\n\n                                                     14\n\x0cCore operations and customer support functions are organized in two branches within each SMC: SMC\nOperations and SMC Technical Support. The relationship of these organizational elements is illustrated\nbelow.\n\n\n\n\n                           Systems Management Center (SMC)\n\n\n                     SMC Operations                   SMC Technical Support\n\n\n                      Customer-Focused\n                      Operations Support Team\n                         Customer Focused\n                         Operations\n                           Customer Support Team\n                                      Focused\n                             Operations Support Team\n\n                                             Technical Support Cells\n\n\n\nSMC Operations\n\nConsistent with industry practice, the DISA CSD Operations Support Team (OST) concept provides a\ncustomer-oriented service structure to implement high performance help desks. Under this concept, a\ncustomer-focused team is constructed to provide all the service and knowledge elements that pertain to\nthat customer\xe2\x80\x99s post-deployment support. These services include the traditional Tier 1 help desk support,\ntraditional basic console/operations support for the customer\xe2\x80\x99s applications, basic system monitoring for\nthe customer\xe2\x80\x99s platforms and applications, and other key skills required to be responsive to that customer.\n\nThe availability of a higher set of knowledge and skills co-located in the OST improves First Call\nResolution (FCR). Incorporation of the basic applications support, scheduling, and operations functions\nfor the customer also promote an intimate knowledge of that customer\xe2\x80\x99s environment, priorities, and an\nimmediate knowledge of current status. Incorporation of monitoring functions using Enterprise Systems\nManagement (ESM) standard system monitoring components oriented toward the OST customer\ncompletes a situational awareness for that customer that ensures a high quality professional response at\nthe first call. Only issues that require system level access or that are new unique problems will have to be\nreferred to the technical support group.\n\nCustomer-oriented OSTs provide a single phone number and a consistent team of individuals to assist the\ncustomer base. This results in the development of a relationship of trust and loyalty with the customer\nand an in-depth understanding of customer missions, concerns, and operations cycles. Often, agent\nmonitoring systems will be able to take action proactively because of this level of customer knowledge.\nThe development of a close relationship with the customer, and the dedication of a team to that customer,\npromotes an implementation of Total Contact Management that supports SMC operations objectives.\n\nWith the OST focus on a particular customer, trends in types of calls will become apparent.\nKnowledgeable agents experienced with a particular customer base will be able to identify candidate\n\n\n                                                    15\n\x0ccategories for further analysis, either perform the analysis or refer to the proper technician, and help\ndefine permanent fixes to eliminate categories of calls. Through their relationship with the customer, the\nOST can perform customer education over time to help eliminate other categories of routine calls. They\ncan also support online self-help by providing knowledge suitable for the customer to access directly to\nanswer common questions. These activities will eventually result in call prevention for routine issues or\ninformational inquiries. As agents filter out routine calls, they will be devoted to resolving increasingly\ncomplex questions for their customers.\n\nRisk Assessments\n\nDefense Finance and Accounting Service\n\nManagement representatives of the PMO and TSO, collectively known as \xe2\x80\x9cSTANFINS management,\xe2\x80\x9d\nidentify and evaluate relevant risks associated with operations and systems. STANFINS management is\naware of the numerous internal and external risks associated with STANFINS operations and takes\nappropriate action to eliminate or mitigate the risk exposure. STANFINS management meets\ncontinuously to discuss division operations. Management addresses risk identification, analysis, and\nresolution planning and implementation. Risks identified through external audits and other evaluations,\nincluding the Department of Defense Information Technology Security Certification and Accreditation\nProcess (DITSCAP) (described in the Monitoring section), are also included in the risk assessment\nprocess.\n\nSTANFINS Management follows the Mission Assurance Category (MAC) III controls assessment\nguidelines and Confidentiality Controls as documented in DoD Instruction 8500.2, Information Assurance\nImplementation, when performing risk assessment activities. STANFINS Management performed the\nmost recent risk assessment in November 2003, which is documented in Appendices P and Q of the\nSTANFINS System Security Authorization Agreement (SSAA). The Information Assurance division of\nSTANFINS Management performed this MAC III-based assessment. The MAC III assessment evaluates\nexisting policies and procedures, and provides a summary of areas of potential risk that relate to\nSTANFINS.\n\nDefense Information Systems Agency\n\nRisk Assessments have been developed for each enclave/site within Computing Services that identifies\nthe risk, probability of the risk occurring, and impact if the risk does occur; identifies countermeasures\nimplemented to reduce the risk; and identifies the residual risk, potential risk, and countermeasures\nrequired to address the potential risk. These risk assessment documents are updated a minimum of every\n18 months.\n\nSites are capable of performing self-assessment Security Readiness Reviews (SRR) that validate\ncompliance with Security Technical Implementation Guides (STIGs) and can perform self-assessment\nvulnerability scans.\n\nField Security Operations conducts annual independent reviews for STIG compliance and vulnerability\nscans.\n\n\n\n\n                                                    16\n\x0cMonitoring\n\nDefense Finance and Accounting Service\n\nDFAS, TSO, and DISA management and supervisors perform continuous monitoring of the performance\nof internal controls as a part of their normal operations. They use reconciliation, comparisons, and\nexception reporting, along with normal supervisory activities to achieve internal control monitoring.\nManagement evaluates findings from external audits and management reviews, develops corrective\nactions or responses, and takes action to resolve the findings. They report the status of the resolution of\nthe material findings and weakness to DFAS-IN STANFINS Systems Office on a regular basis and action\nis taken as necessary. In addition, the DITSCAP Certification and Accreditation (C&A) requirements\ninclude the periodic monitoring of STANFINS-related internal controls.\n\nDoD Instruction 5200.40, Department of Defense Information Technology Security Certification and\nAccreditation Process, December 20, 1997, establishes a standard Department-wide process, set of\nactivities, general tasks, and management structure to certify and accredit information systems that will\nmaintain the information assurance and security posture of the defense information infrastructure\nthroughout the lifecycle of each system. The certification process is a comprehensive evaluation of the\ntechnical and non-technical security features of an information system and other safeguards to establish\nthe extent to which a particular design and implementation meets specified security requirements and\ncovers physical, personnel administrative, information, information systems, and communications\nsecurity. The accreditation process is a formal declaration by the designated approving authority that an\ninformation system is approved to operate in a particular security mode using a prescribed set of\nsafeguards at an acceptable level of risk. STANFINS has been certified and accredited by the DFAS\nDesignated Authority in December, 2003.\n\nDefense Information Systems Agency\n\nThe CSOD Current Operations staff provides centralized event monitoring in support of the CSD senior\nmanagement. Standard monitoring tools provide near real-time data on the status of all production\noperations environment components including applications, platforms, and networks. Enterprise Systems\nManagement (ESM) provides presentation tools that allow monitoring of consolidated information by\ncustomer, application, network segment, or by any other appropriate business category designation. The\nOperations Monitoring function maintains a continuous surveillance of high-level indicators of the health\nof the key elements of the CSOD operations environments. Alerts and alarms provide an early warning of\npotential customer impact and enhanced situational posture awareness for the Chief of Operations and\nsenior CSD staff.\n\nInformation Assurance (IA) Security staff is specifically charged with providing information security\nsupport and solutions for intrusion monitoring and detection, incident reporting, and trend analysis in\nsupport of customer requirements. The IA staff participates in the planning, installation, operations, and\nmaintenance of Information Security technologies, systems, procedures, plans, and services associated\nwith each customer\xe2\x80\x99s Area of Responsibility. The day-to-day operations for security provided by IA\ninclude, but are not limited to, the following core functions:\n\n\xe2\x80\xa2   Network Intrusion Detection Monitoring\n\xe2\x80\xa2   Level I data analysis \xe2\x80\x93 Correlation of activity with sensor data and initial log review\n\xe2\x80\xa2   AOR Incident/Event Trending\n\xe2\x80\xa2   Event, Incident, and Mission impact determination/escalation/prioritization\n\xe2\x80\xa2   Coordination of Incident & Event Feedback to customer\n\xe2\x80\xa2   Penetration Tests/IA Exercises/IA Reviews,\n\n\n                                                     17\n\x0cIn accordance with DISA Instruction 630-230-31, Enclave Security, March 30, 2001, IA technology has\nbeen implemented throughout the DISA Assured Computing Environment in order to provide a reliable,\navailable, and secure network. Other IA tools, processes, and functions may be implemented as deemed\nnecessary to defend the network, enclave boundaries, local computing environments, and supporting\ninfrastructure against all threats.\n\n\n\n\n                                                 18\n\x0cC. INFORMATION AND COMMUNICATION\n\nInformation Systems\n\nApplication Overview\n\nSTANFINS is a general fund accounting system developed to support the day-to-day operations of the\nU.S. Army, as well as other select DoD operational components. STANFINS provides for the input and\nmaster file update of transactions related to funding and budget execution, expenditures, \xe2\x80\x9creimbursables,\xe2\x80\x9d\ndisbursements and collections with no impact on funds allotted to installations, and general ledger updates\nfor the purposes of complete and accurate financial reporting. STANFINS shares the hardware and\ntelecommunications resources of ASIMS, and 65 DECC-St. Louis databases currently field the system.\n\nThe Director, Finance and Accounting, Office of the Assistant Secretary of the Army for Financial\nManagement (OASA (FM)) and the U.S. Army Information Systems Software Development Center\xe2\x80\x93\nWashington developed STANFINS through a joint effort. STANFINS design has been predicated on the\nOASA (FM) requirement to help ensure that the Department of the Army accounting systems comply\nwith the Budget and Accounting Procedures Act of 1950.\n\nSpecifically, STANFINS provides the following:\n\n\xe2\x80\xa2   Full disclosure of the financial results of all activities\n\xe2\x80\xa2   Adequate information required for all management purposes\n\xe2\x80\xa2   Effective control over and accountability for all funds and other assets\n\xe2\x80\xa2   Reliable data to serve all budgetary purposes\n\xe2\x80\xa2   Means for integrating Army financial data with related data in the accounts of the Treasury\n    Department.\n\nSTANFINS is a legacy system operating in a \xe2\x80\x9cmaintenance mode\xe2\x80\x9d (i.e., only emergency changes are\napplied to the application production environment). Although in maintenance mode, STANFINS systems\noffices and field sites are consolidating databases to realize savings and migrate new customers to\nSTANFINS such as the National Guard and the Installation Management Agency (IMA). A selection\nprocess is currently underway to replace STANFINS and many other systems supporting Army customers\nwith a new Enterprise Resource Planning software package: the General Fund Enterprise Business\nSystem.\n\nGeneral Support System\n\nSTANFINS production programs (also known as \xe2\x80\x9cjobs\xe2\x80\x9d) exist on a Complimentary Metal Oxide\nSemiconductor (CMOS) AMDAHL 2054 mainframe running IBM\xe2\x80\x99s OS/390 Release 2.10 mainframe\noperating system. Each Logical Partition (LPAR) contains a series of site/installation databases that are\nconfigured to a one database to one site/installation ratio. The mainframe is responsible for storing all\nSTANFINS data with interactive capability for local and remote end-users. The mainframe uses\nremovable media for data storage. IBM compatible personal computers with terminal emulation software\nclients are used to input data not entered through automated interfaces with other systems. All end-user\nconnectivity transmit clear text non-encrypted data using the ELAN and the Sensitive but non-classified\nInternet Protocol Router Network (NIPRNET), a telephone/telecommunication media-based network\nmanaged by DISA. The mainframe connects to the network communication devices that comprise the\ngateways to the NIPRNET and ELAN via IBM Open Systems Adapter integrated adapter hardware and\nsoftware.\n\n\n\n                                                    19\n\x0cSTANFINS programs are written in Common Business Oriented Language 74 and comprise\napproximately 1.8 million lines of code that are designed to run on IBM/MVS/XA processing\nenvironments. The TAPS and Customer Information Control System (CICS) provide for and facilitate\nonline user interaction with the application. CICS is an online, interactive, mainframe program used to\naccess various applications. CICS permits entry and update of information on a screen, the movement\nbetween screens, and the printing of documents. The TAPS utility is used during sign-on and sign-off\nprocedures to the ASIMS Network and for the manual input of accounting data into STANFINS. COTS\nsoftware provides Data Query capability. BMC Software\xe2\x80\x99s Control-M utility provides production\nscheduling and management. CA DATACOM/database is the backend database management system that\ncontains STANFINS standing and transaction data.\n\nEach STANFINS-related LPAR resident on the CMOS7 mainframe contains a series of site/installation\ndatabases that are currently configured at a one database to one site/installation relationship. There are 65\ndatabases established on six production LPARs. Three of these databases, which are classified, are\noutside of the scope of this review. The six production LPARs, along with one development LPAR, are\nidentified as follows:\n\n  Domain Code           Domain Name          Applicable DFAS Field            Installation Databases\n                                                      sites\n MSK-ASIMS-S                St. Louis        \xe2\x80\xa2 San Antonio, TX            \xe2\x80\xa2     Fitzsimons\n                                             \xe2\x80\xa2 Lawton, OK                 \xe2\x80\xa2     Ft. Carson\n                                             \xe2\x80\xa2 Directorate for            \xe2\x80\xa2     Ft. Hood\n                                                 Network Operations       \xe2\x80\xa2     Ft. Sam-Houston\n                                                 (DNO), Indianapolis,     \xe2\x80\xa2     National Guard Bureau\n                                                 IN                             (NGB) Oklahoma\n                                             \xe2\x80\xa2   Rome, NY                 \xe2\x80\xa2     Ft. Leavenworth\n                                             \xe2\x80\xa2   Orlando, FL              \xe2\x80\xa2     Ft. Polk\n                                                                          \xe2\x80\xa2     Ft. Riley\n                                                                          \xe2\x80\xa2     Ft. Sill\n                                                                          \xe2\x80\xa2     Ft. Buchanan\n MSL-ASIMS-E                  East           \xe2\x80\xa2   Columbus, OH             \xe2\x80\xa2     Europe DeCA\n                                             \xe2\x80\xa2   DNO, Indianapolis, IN    \xe2\x80\xa2     Columbus DeCA\n                                             \xe2\x80\xa2   Centralized Disbursing   \xe2\x80\xa2     Disbursing\n                                             \xe2\x80\xa2   Rome, NY                 \xe2\x80\xa2     Secretary of the Army\n                                             \xe2\x80\xa2   Orlando, FL                    Financial Operations\n                                             \xe2\x80\xa2   Military Pay                   (SAFINOPS)\n                                                 (MILPAY)                 \xe2\x80\xa2     Ft. Campbell\n                                             \xe2\x80\xa2   Lexington, KY            \xe2\x80\xa2     Carlisle Barracks\n                                             \xe2\x80\xa2   Lawton, OK               \xe2\x80\xa2     Ft. Dix\n                                             \xe2\x80\xa2   DEPT97                   \xe2\x80\xa2     Ft. Drum\n                                                                          \xe2\x80\xa2     DFAS-IN Harrison\n                                                                          \xe2\x80\xa2     Centralized Pay (CEN\n                                                                                PAY)\n                                                                          \xe2\x80\xa2     NGB Pennsylvania\n                                                                          \xe2\x80\xa2     United States Army\n                                                                                Intelligence and\n                                                                                Security Command\n                                                                                (INSCOM)\n                                                                          \xe2\x80\xa2     Ft. Knox\n                                                                          \xe2\x80\xa2     U.S. Army Special\n\n\n                                                     20\n\x0c Domain Code     Domain Name       Applicable DFAS Field           Installation Databases\n                                            sites\n                                                                  Operations Command\n                                                                  (USASOC)\n                                                               \xe2\x80\xa2 Ft. Meade\n                                                               \xe2\x80\xa2 Defense Travel System\n                                                                  (DTS)\n                                                               \xe2\x80\xa2 Ft. Leonard Wood\n                                                               \xe2\x80\xa2 DFAS\nMSM-ASIMS-W          West          \xe2\x80\xa2   Pearl Harbor, HI        \xe2\x80\xa2 Alaska/Hawaii\n                                   \xe2\x80\xa2   Seaside, CA             \xe2\x80\xa2 Ft. Huachuca\n                                   \xe2\x80\xa2   DNO, Indianapolis, IN   \xe2\x80\xa2 Ft. Bliss\n                                   \xe2\x80\xa2   Rome, NY                \xe2\x80\xa2 NGB-Indiana\n                                                               \xe2\x80\xa2 Ft. Irwin\n                                                               \xe2\x80\xa2 NGB-California\n                                                               \xe2\x80\xa2 Ft. Lewis\n                                                               \xe2\x80\xa2 Reserves\nMSQ-ASIMS-Ch     Chambersburg      \xe2\x80\xa2   DNO, Indianapolis, IN   \xe2\x80\xa2 Military District of\n                                   \xe2\x80\xa2   San Antonio, TX            Washington (MDW)\n                                   \xe2\x80\xa2   Rome, NY                \xe2\x80\xa2 Foreign Military Sales\n                                   \xe2\x80\xa2   Seaside, CA                (FMS)\n                                   \xe2\x80\xa2   Lawton, OK              \xe2\x80\xa2 Ft. Eustis\n                                   \xe2\x80\xa2   Norfolk, VA             \xe2\x80\xa2 Europe-Medical\n                                   \xe2\x80\xa2   DFAS-Denver                Command (MEDCOM)\n                                                               \xe2\x80\xa2 Europe-Kaiserslautern,\n                                                                  Germany (KTOWN)\n                                                               \xe2\x80\xa2 Defense Lang Institute\n                                                               \xe2\x80\xa2 West Point\n                                                               \xe2\x80\xa2 Walter Reed\n                                                               \xe2\x80\xa2 Ft. Detrick\n                                                               \xe2\x80\xa2 Ft. Belvoir\n                                                               \xe2\x80\xa2 Inst. Mgmt Agency-\n                                                                  Outside of the\n                                                                  Continental United\n                                                                  States (OCONUS)\n                                                               \xe2\x80\xa2 Ft. Devins\n                                                               \xe2\x80\xa2 Ft. Lee\nMSW-JAK        JAK (Japan-Korea)   \xe2\x80\xa2  Yakota, Japan            \xe2\x80\xa2 Japan\n                                   \xe2\x80\xa2  Seoul, Korea             \xe2\x80\xa2 Korea\nMQC-ASIMS-T9        Supports       N/A                         N/A\n                   STANFINS\n                  Development\nMQD-ASIMS-H    Huntsville          \xe2\x80\xa2   Rome, NY                \xe2\x80\xa2     Ft. Bragg\n                                   \xe2\x80\xa2   Lawton, OK              \xe2\x80\xa2     Installation\n                                   \xe2\x80\xa2   DNO, Indianapolis, IN         Management Agency\n                                   \xe2\x80\xa2   Orlando, FL                   (IMA) East\n                                   \xe2\x80\xa2   Lexington, KY           \xe2\x80\xa2     IMA West\n                                                               \xe2\x80\xa2     Ft. Gordon\n                                                               \xe2\x80\xa2     NGB Alabama\n                                                               \xe2\x80\xa2     Ft. Jackson\n\n\n                                          21\n\x0c    Domain Code          Domain Name           Applicable DFAS Field             Installation Databases\n                                                        sites\n                                                                             \xe2\x80\xa2     Ft. McPherson\n                                                                             \xe2\x80\xa2     Ft. Rucker\n                                                                             \xe2\x80\xa2     Ft. Stewart\n                                                                             \xe2\x80\xa2     Kuwait\n                                                                             \xe2\x80\xa2     United States Military\n                                                                                   Training Mission\n                                                                                   (USMTM)-Saudi\n\n\n\n\nInformation Security\n\nSTANFINS is an unclassified Army-wide standard accounting system. The technical implementation of\ninformation security has been applied to STANFINS at various levels of the GSS (i.e., workstations,\nservers, hosts, operating systems, network/communication devices, etc.) and application architecture. In\naccordance with DoD Directive 8500.1 and DoD Instruction 8500.2, the MAC for this system has been\ndetermined to be MAC III. The confidentiality level of the system is Sensitive. All data processed by\nSTANFINS is sensitive but unclassified data. The loss, misuse, or unauthorized access to or modification\nof this information could adversely affect the national interest or the privacy to which individuals are\nentitled under section 552a of Title 5, United States Code (The Privacy Act).\n\nUsers access STANFINS at IBM-compatible workstations that contain terminal emulation software\nenabling them to connect to the STANFINS-resident mainframe via their local area network (LAN) server\ngateway and the NIPRNET government communications network. Physical access controls to DFAS\nsites and desktop operating system security are applied to restrict access to authorized individuals at the\nlocal workstation level. The application of least-privilege and need-to-know information security\nprinciples, utilization of user ID and password security, configuration of operating system/server security\nsettings in accordance with DoD security implementation guidelines, and implementation of physical\naccess controls to communications devices and lines provide network-level security that restricts access to\nELAN and NIPRNET resources (including STANFINS access points) to authorized individuals.\n\nUsers connect to the mainframe and their STANFINS application/databases instance by accessing and\nbeing validated by Computer Associate\xe2\x80\x99s Access Control Facility 2 (ACF2) and CA-Top Secret Security1\nmainframe security software product. ACF2 and Top Secret are programs that enable security control and\nfacilitate security administration in compatible mainframe environments. Physical access controls\nimplemented at the DECC-St. Louis augment the application of the technical controls described in this\nparagraph.\n\nApplication Functionality\n\nSTANFINS is a general ledger containing all financial transactions for the customers it serves, largely\nArmy installations. Financial data includes, but is not limited to, military and civilian pay transactions,\ncash accountability, vendor and commercial pay, travel pay, and funding. STANFINS records\nobligations, funds authorization, disbursements, accruals/expenditures, billings and collections, and\nreimbursables. Of special note, STANFINS was not intended to provide commitment accounting,\n\n\n1CA-Top Secret Security mainframe security software package is used to restrict access to the Japan and Korea\nLogical Partitions (LPARs). The remaining LPARs are secured using ACF2.\n\n                                                       22\n\x0cbudgetary accounting, or funds control. STANFINS records what has transacted but does not\nautomatically control what has transacted.\n\nInputs to STANFINS\n\nSTANFINS accepts data in one of two ways.\n\n1. Manual entry via TAPS. TAPS provides real-time online edits for data values. A warning appears if\n   a data element or combination of data elements is incorrect. For example, if an Account Processing\n   Code (APC) is not valid, a warning message will appear; however, users have the ability to bypass the\n   warning and continue processing the transactions. Because STANFINS is a batch system, the APC\n   code may not yet have been posted to the master file. So, it is a timing issue. If the user fails to enter\n   the APC in the APC master, the transaction will fail and appear on a daily prelim report. A\n   supervisor or \xe2\x80\x9creconciler\xe2\x80\x9d obtains the Daily Preliminary Balance (AVK018) report and reconciles\n   failed transactions. The \xe2\x80\x9creconciler\xe2\x80\x9d is a different person than the input person.\n2. Automated interface/file load2. STANFINS receives files in one of three formats: qam (80 character\n   from field site), nam (80 character from Installation), or DeCA (200 character). Currently, not all\n   interface files into STANFINS are fully automated. Field site users have the ability to pull down a\n   file, modify it, and then load it into STANFINS. Generally, a PC-based Microsoft Access database\n   performs this offline function for the purpose of putting it into the correct format; however, as in any\n   manual process, there is a risk that the data is modified rather than just reformatted.\n\nActivities within STANFINS\n\nAccounting transactions must be recorded and reported in the accounting period (month) in which they\noccur. The system automatically generates the General Ledger effect for each detail transaction based on\nthe Type Action code of the transaction and other applicable direct or indirect input data including the\nAPC, Element of Resource (EOR), Standard Document Number, and FY. The effect of these\nrelationships is captured as a G/L Proforma Code, which defines the General Ledger account effects.\n\nOutputs from STANFINS\n\nSTANFINS outputs can be categorized as follows:\n\n(1) Reports/Queries. STANFINS produces a variety of reports and queries using the Online Report\n    Viewer (OLRV), including exception reports, management reports, and financial reports. The system\n    produces these reports on a daily, weekly, monthly, and/or as-required basis to provide information\n    that is current and available when needed. Report files can also be sent to the CORP File Transfer\n    Protocol (FTP) servers for use in DARS.\n(2) Interface Files. STANFINS sends interface files to three places:\n    \xe2\x80\xa2 Operational Data Store (ODS);\n    \xe2\x80\xa2 CORP1 or CORP2 \xe2\x80\x93 FTP servers in Information Services Organization (ISO) and TSO\n        respectively. CORP1 is for other field sites. CORP2 is for the DNO; or\n    \xe2\x80\xa2 Installations\xe2\x80\x99 servers.\n\nVarious systems and/or users use the outgoing interface files for various purposes. Examples include\nusing the obligation information to determine if a disbursement can be made, matching the obligation to\nthe funded amount, and providing updated master file tables.\n\n\n2   May have manual intervention.\n\n                                                     23\n\x0cInterfacing Systems\n\nThe following table documents systems that directly interface with STANFINS, as well as the nature of\nthe interface and other relevant information:\n\n\n\n                                               CAPS-W                      HQARS\n\n\n\n\n             ATLAS                                                                                  OLRV\n\n\n\n\n                                           Master Files              112, 218,\n                                                                    DELMAR, GL\n                                                                                                                  TAPS\n                     Transaction History                                           Reports\n                                                                                   Transactions\n                                                                                   Master Files                      CICS\n\n\n                       Obligations                                                                 Master Files\nIFS\n                      Cost Transfers\n                                                        STANFINS                                   Transactions\n\n\n                                                                                     SARRS Interfund\n\n\n\n\n                                                                                                                         ODS\n                                 Obligations\n\n      DEBX                                                    Funding\n                                                             Obligations\n\n\n                                                    Master Files\n                                                    Transactions\n\n\n\n                                                                                             ISB\n                         DARS*\n\n\n\n                                                              DBCAS\n\n\n\n\n*DARS and ATLAS are not \xe2\x80\x9csystems\xe2\x80\x9d per se but PC-based utilities that send and/or receive data from\nSTANFINS for various purposes.\n\n\n\n\n                                                            24\n\x0c Interfacing System       Receive    Send to    Nature of                    Notes\n                           from     STANFINS    Interface\n                         STANFINS\n     TAPS/CICS                                 Location-     Front-end tool that facilitates/provides\n                                               to-location   capabilities to manually input\n                                               copy          accounting data into STANFINS.\n                                               within the\n                                               same\n                                               mainframe\nAccounting Transaction                         FTP           A queriable PC-based historical\nLedger Archival System                                       database tracking all transactions\n      (ATLAS)                                                (funding, obligations, accruals, and\n                                                             disbursements) entering STANFINS\n                                                             via historical master files.\nComputerized Accounts                          FTP           System uses the Account Processing\nPayable System (CAPS)                                        Code Master file AXWAVK from\n                                                             STANFINS to provide accounting\n                                                             classification data used to make\n                                                             payments to vendors.\nDatabased Accounting                           FTP           PC-based system receiving\nReconciliation System                                        STANFINS historical master data\n      (DARS)                                                 files for research and possible mass\n                                                             correction of transactions previously\n                                                             entered into STANFINS. The files\n                                                             used by DARS are received and sent.\n                                                             Process is usually initiated in each of\n                                                             the Systems Offices of the field site\n                                                             from DECC-St. Louis.\nDatabased Commitment                           FTP           PC-based Commitment Accounting\n     Accounting                                              System creating commitments, thus\n   System (dbCAS)                                            creating candidate obligation\n                                                             transactions used by STANFINS.\n                                                             During the STANFINS daily batch\n                                                             cycles, output files are created and\n                                                             sent to each of the dbCAS field site\n                                                             offices for distribution throughout\n                                                             their network. STANFINS passes the\n                                                             confirmation of the obligation entered\n                                                             into STANFINS (successful\n                                                             processing), and when the\n                                                             disbursement information is processed\n                                                             into STANFINS, the disbursement\n                                                             information is then passed to dbCAS\n                                                             to complete the cycle. Process is\n                                                             usually initiated in each of the\n                                                             Systems Offices of the field site from\n                                                             DECC-St. Louis.\nCustomer Automation                            FTP           EDI transaction facilitation system;\n         and                                                 obligation acknowledgements are sent\n Report Environment                                          to STANFINS or DEBX, purchase\n      (DEBX)                                                 card obligations received by DEBX\n                                                             are sent to STANFINS. DECC-\n                                                             Ogden, Utah runs DEBX, which\n                                                             receives X-12 standard UDF files and\n\n\n                                               25\n\x0c  Interfacing System       Receive    Send to    Nature of                   Notes\n                            from     STANFINS    Interface\n                          STANFINS\n                                                             creates user specific system UDF for\n                                                             batch input into STANFINS. The\n                                                             files are in clear text STANFINS\n                                                             specific formats for processing\n                                                             obligations, accruals, and\n                                                             disbursement. These files are sent to\n                                                             DECC-St. Louis, Chambersburg,\n                                                             Rock Island (East or West),\n                                                             Huntsville, and the Far East.\n  Headquarters Army                             FTP          System receives Status, Expenditure,\n  Reporting System                                           and General Ledger report data form\n                                                             STANFINS during the month-end and\n                                                             year-end processing.\n  Integrated Facilities                         FTP          System provides STANFINS cost\n   System-Modified                                           distribution (obligation, accrual, and\n                                                             disbursement) data for the facility\n                                                             engineers at each post, camp, and\n                                                             station worldwide.\n  Installation Supply                           FTP          ISB passes logistic financial\n         Buffer                                              transactions including obligations,\n         (ISB)                                               accruals, disbursements, and interfund\n                                                             bills. U.S. Army Wide CONUS,\n                                                             OCONUS Installation (36 databases),\n                                                             DFAS-IN field sites (Rome, Orlando,\n                                                             DNO, Lexington, Lawton, Seaside,\n                                                             Europe), Norfolk, Pacific, Japan, San\n                                                             Antonio, and U.S. Army Reserve use\n                                                             ISB.\nOperational Data Store                          FTP          Sends STANFINS Obligations,\n                                                             Accruals, Payables, Accounts\n                                                             Receivable, Expenses, and\n                                                             Disbursements, and in turn receives\n                                                             transactional historical data. ODS is a\n                                                             major conduit for external interfacing\n                                                             systems, including SRD1, CAPS,\n                                                             DCD/DCW, DDRS, MOCAS, DJMS,\n                                                             DCPS, FAS, TAMMIS, AFMIS,\n                                                             ACIIPS, IATS, and others. Data is\n                                                             transmitted on a daily basis both as a\n                                                             sending system and a receiving\n                                                             system.\nOn-Line Report Viewing                          FTP          Commercial Off-the-Shelf, Report\n                                                             Dot Web provides users reports\n                                                             modeled after STANFINS reports.\n\n\n\n\n                                                26\n\x0cSTANFINS Support Organizations\n\nThe PMO, headquartered at DFAS-Indianapolis, is primarily responsible for the overall operation of\nSTANFINS. In addition to this responsibility, the PMO helps to ensure the development and\nimplementation of policies related to STANFINS and corresponding accounting operations; the\nadministration and operation of the system in accordance with DoD security and operational\nrequirements, as well as decision making regarding the strategic direction of future system operations,\nincluding anticipated fixes and enhancements, if any; and consideration of eventual STANFINS\nreplacement alternatives. The PMO is also responsible for the implementation of the STANFINS C&A\nprocess in accordance with DITSCAP, DoD\xe2\x80\x99s governing policy and detailed instructions for carrying out\nC&As.\n\nThe TSO, headquartered in DFAS-Indianapolis, is responsible for elements of the technical\nadministration of STANFINS and provides multi-tier system support in coordination with other\norganizations (see paragraph below).\n\nThe TSO develops and performs unit and function testing changes to the STANFINS production\nenvironment and is responsible for the administration of STANFINS\xe2\x80\x99 database configuration and\nmaintenance. TSO is responsible for CICS and TAPS administration and maintenance. Additionally,\nTSO is responsible for elements of security administration for the STANFINS mainframe resources,\nincluding the STANFINS application itself. The TSO carries out its responsibilities for security\nadministration in coordination with the DISA Systems Management Center at the DECC-St. Louis. The\nTSO carries out its responsibilities for many aspects of system support in coordination with the CDOIM,\nas well as decentralized DOIM organizations servicing other DFAS sites.\n\nThe CDOIM is also located at DFAS-Indianapolis. CDOIM is responsible for the overall management\nand continuance of the STANFINS batch production cycles, including maintenance of the production job\nschedule, Job Control Language maintenance, operations monitoring, and the resolution of unintended\ndeviations from the STANFINS production job schedule. CDOIM employs the Control-M scheduling\nutility to maintain Daily, Weekly, Monthly, or Annual production runs as required. CDOIM is also\nresponsible for providing testing support to the PMO and TSO for STANFINS changes. CDOIM is\ncomposed of primary, backup, and alternate analysts, and is also responsible for process scheduling.\n\nAdditionally, four decentralized DOIM organizations support the following DFAS field sites: Colorado,\nKorea, Hawaii, and Japan.\n\nThe decentralized DOIM organizations are responsible for the management and continuance of the\nSTANFINS batch production cycles related to the sites that they support.\n\nSTANFINS User Organizations\n\nSTANFINS is deployed worldwide at DFAS and customer locations, including selected Defense\nAgencies, DFAS field sites (including Hawaii, San Antonio, Indianapolis, Orlando, Rome, Lawton,\nSeaside, Denver, and Japan), Army Posts, Camps and Stations (i.e., Fort Riley, Fort Belvoir, Fort Leonard\nWood), DeCA, DARPA, and Security Assistance. Additionally, STANFINS supports the accounting\nactivities of other DoD agencies. In all, approximately 36,000 users access STANFINS data.\n\n\n\n\n                                                   27\n\x0cCommunication\n\nDefense Finance and Accounting Service\n\nPertinent control information is critical to maintain an effective internal control system. Information is\nidentified, captured, and communicated in a form and timetable that enables personnel to carry out their\nresponsibilities in an efficient and effective manner. Management reviews reports containing operational,\nstrategic and financial information that make it possible to monitor and control the organization.\n\nEffective communication also occurs in a broader sense throughout the organization. Management\nstresses the importance of control responsibilities to personnel. Management accomplishes this through\nsupervision and various communication methods (e-mail, period status meetings, postings, etc.).\nPersonnel understand their duties and roles in the internal control system, as well as how their individual\nactivities relate to the work of others. Management is receptive to employee suggestions on ways to\nenhance productivity, quality, or other improvements to the current products and services offered by the\nDFAS/DISA organization.\n\nDefense Information Systems Agency\n\nComputing Services Operations Headquarters develops policies establishing performance standards,\noperating procedures, operational metrics and reporting, standard capacity and performance reporting,\nquality assurance and quality control, disaster recovery, strategic planning, and other practices required to\nguide execution of operations services to meet DISA CSD objectives and customer expectations.\n\nThe Central Communications Centers (CCC) are configured with the capability to back up the other CCC\nand support full network infrastructure operations. The CCC can remotely manage the CSD network\ninfrastructure via a secure out-of-band management network. CCC management responsibilities include\nthe support of routing, switching, Domain Name Services (DNS), Wide Area Networks (WAN) interfaces\nto DISA Network Services, and network security device operations. The CCC also provides the\nappropriate event correlation for network and security environments within the data centers and serves as\nthe SMC escalation organization to Wide Area Network management centers Regional Network\nOperations Service Center (RNOSC) as well as Service/Agency base level management centers.\n\nThe CSOD Network Operations is responsible for the up-channel reporting of operations incidents.\nCategories of incidents have been identified as high impact, high visibility, or high interest requiring\ndetailed reporting to a defined chain of senior management. Specific information requirements have been\ndefined for the incident reports to help ensure completeness, accuracy, and understandability. Standard\ntrouble tickets that provide the basic information must be cleansed to ensure that these informational\nrequirements are met and consolidated into the defined incident reporting format. Centralization of this\nfunction from field elements assures consistency and responsiveness to senior management needs.\n\n\n\n\n                                                     28\n\x0cD. CONTROL OBJECTIVES AND RELATED CONTROL ACTIVITIES\n\nDFAS and DISA control objectives and related controls are included in section III of this report, \xe2\x80\x9cControl\nObjectives, Control Activities, and Tests of Operating Effectiveness,\xe2\x80\x9d to eliminate the redundancy that\nwould result from listing them in this section and repeating them in section III. Although the control\nobjectives and related controls are included in section III, they are, nevertheless, integral parts of DFAS\nand DISA control descriptions.\n\n\n\n\n                                                    29\n\x0cE. USER ORGANIZATION CONTROL CONSIDERATIONS\n\nThe control activities at DFAS and DISA related to STANFINS were designed with the assumption that\ncertain controls would be placed in operation at user organizations. The application of such controls by\nuser organizations is necessary to achieve certain control objectives identified in this report. This section\ndescribes some of the controls that should be in operation at user organizations to complement the\ncontrols at DFAS and DISA. The following user organization control considerations are not a\ncomprehensive list of all controls that user organizations should employ.\n\nUser organizations should have policies and procedures in place to provide reasonable assurance that:\n\n\xe2\x80\xa2   Hard copy documents (e.g., purchase orders, training orders, and miscellaneous obligation\n    documents) are authorized, accurate, and complete before the user submits them to STANFINS for\n    input and automated processing.\n\n\xe2\x80\xa2   Authorized individuals input data into STANFINS, enter it accurately and completely, and seek\n    approval from appropriate personnel for transactions that are input.\n\n\xe2\x80\xa2   Erroneous data are corrected and resubmitted in a timely manner.\n\n\xe2\x80\xa2   The appropriate users review output for completeness and accuracy.\n\n\xe2\x80\xa2   STANFINS computer terminals, communication lines, and data outputs are protected from\n    unauthorized access.\n\n\xe2\x80\xa2   Passwords needed to access STANFINS through computer terminals are protected against\n    unauthorized disclosure and misuse.\n\n\xe2\x80\xa2   STANFINS\xe2\x80\x99 Terminal Area Security Officers (TASO) are notified in a timely manner when\n    employees leave or transfer, supporting TASO ability to cancel system access authority for those\n    individuals.\n\nIn addition, some DFAS customers submit data into STANFINS and review and correct their own\ntransactions. In such circumstances, controls should be placed in operation to provide reasonable\nassurance that only authorized source documents are input; errors are identified timely, reviewed, and\ncorrected; and the correction of errors is appropriately authorized.\n\n\n\n\n                                                     30\n\x0cSection III: Control Objectives, Control Activities, and Tests of\n                    Operating Effectiveness\n\n\n\n\n                               31\n\x0c32\n\x0cIII. Control Objectives, Control Activities, and Tests of Operating\n     Effectiveness\n\nA. SCOPE LIMITATIONS\n\nThe Office of the Inspector General, Department of Defense, specified the control objectives documented\nin this section. As described in the prior section (section II), STANFINS interfaces with many systems.\nThe controls and tests described in this section of the report are limited to those computer systems,\noperations, and processes directly related to STANFINS. Controls related to the source and destination\nsystems associated with the STANFINS interfaces are specifically excluded from this review. We did not\nperform procedures to evaluate the effectiveness of the input, processing, and output controls in these\ninterfacing systems, although we did perform procedures to evaluate STANFINS interface input and\noutput controls. We did not conduct penetration testing on STANFINS because this FISCAM procedure\nwas performed under the Audit of the Defense Computing Services, Project Number D2004-D000FC-\n0191. The fieldwork identified no deficiencies. The Defense Computing Services report will be issued in\nJune 2005.\n\nB. CONTROL DEFICIENCIES\n\nTest procedures disclosed operating effectiveness deficiencies in certain control activities. Where the\naudit team was able to identify and test additional controls that allowed the control objective to be\nachieved, we documented such compensating controls and/or circumstances, as well as the description of\nthe operating effectiveness deficiency, in the following matrix. In addition, the audit team identified\ncertain compliance exceptions with DoD IA standards and/or other Federal legislation, criteria, standards,\nor regulations. Where such exceptions related to the suitability of design and/or operating effectiveness\nof key controls placed in operation to achieve control objectives, we documented the controls and/or\ncircumstances. In a separate DFAS and DISA management report, the audit team identified compliance\nexceptions not related to the suitability of design and/or operating effectiveness of key controls intended\nto achieve control objectives. We have not included these exceptions herein because they do not\nadversely impact the achievement of the control objectives included in this Service Auditors\xe2\x80\x99 Report.\n\n\n\n\n                                                    33\n\x0cC. CONTROL OBJECTIVES, CONTROL ACTIVITIES, AND TESTS OF OPERATING EFFECTIVENESS\n\nSecurity Program (SP)\n\nControls provide reasonable assurance that a security program is established.\n\nControl Description                                              Tests of Operating Effectiveness                   Results of Tests of Operating Effectiveness\nControl Activity:\nSP-1 Risks are periodically assessed.\nDISA\nDISA DECC completed its Risk Analysis in January 2004.           \xe2\x80\xa2   Inspected risk assessment policies and the     \xe2\x80\xa2   No exceptions noted.\nThe primary objective of the Risk Analysis was to quantify the       most recent DECC risk assessment to\nlevel of risk associated with the operating systems. The DISA        determine whether it was independently\nDECC Risk Analysis is comprised of five parts: threat types,         performed in compliance with National\nthe probability of threat occurring, the potential risks to be       Institute of Standards and Technology (NIST)\nrealized if the threat occurs, the cost of the threat, and           800-30 standards.\ncountermeasures. Risk assessments are conducted when a\nmajor change occurs or once every three years.\nDFAS\nThe STANFINS SSAA includes the risk assessment policies          \xe2\x80\xa2   Inspected risk assessment policies and the     \xe2\x80\xa2   No exceptions noted.\nand the most recent high-level risk assessment conducted in          most recent STANFINS risk assessment to\nNovember 2003, based on MAC III controls.                            determine whether it was independently\nThe IA division of TSO performed the MAC III-based risk              performed in compliance with NIST 800-30\nassessment. The MAC III assessment evaluates existing                standards.\npolicies and procedures, and provides a summary of areas of\npotential risk that relate to STANFINS and safeguards that can\nbe applied to reduce those risks and vulnerabilities.\nControl Activity:\nSP-2.1 A security plan is documented and approved.\nDISA\nDISA DECC documents a security plans that provide basic          \xe2\x80\xa2   Inspected the DISA DECC security plan to       \xe2\x80\xa2   No exceptions noted.\nsecurity guidance for the protection of DECC-St. Louis               determine whether the security plan was\nprocessing resources. DISA Instruction 630-230-19 provides           approved and complied with Office of\nguidance for the development of security plans for DISA major        Management and Budget (OMB) Bulletin 90-\napplications (MA) and GSS. The DECC Director endorses the            08 and A-130, as well as NIST 800-18.\nExecutive Summary of the plan.\nDFAS\nThe SSAA Information System Security Policy and Plan             \xe2\x80\xa2   Inspected the STANFINS security plan to        \xe2\x80\xa2   Exception noted, the description is\nsections contain a short description of STANFINS and its             determine whether the STANFINS security            outdated showing multiple DECCs\n\n\n\n                                                                              34\n\x0cControl Description                                                   Tests of Operating Effectiveness                     Results of Tests of Operating Effectiveness\nsystems architecture that summarizes the security objectives for          plan was approved and complied with OMB             supporting STANFINS. The interface\nconfidentiality, integrity, authenticity, availability,                   Bulletin 90-08 and A-130, NIST 800-18.              diagram depicts many direct interfaces to\naccountability, and economic feasibility of integrated security                                                               STANFINS. Most of the interfaces are to\nmechanisms. The policy and plan also addresses control                                                                        ODS. Also, there is system software that\nrequirements for discretionary access for certain personnel,                                                                  is not described (Control-M, ACF2,\nauditing, service continuity, and personnel screening.                                                                        VASS and ROSCOE).\nControl Activity:\nSP-2.2 The plan is kept current.\nDISA\nThe DISA DECC security plan is current.                               \xe2\x80\xa2   Inspected the DISA DECC security plan to         \xe2\x80\xa2   The most recent DISA DECC security\n                                                                          determine whether the plan was current.              plan is dated January 10, 2004. No\n                                                                                                                               exceptions noted.\nDFAS\nThe SSAA Authority to Operate (ATO), which in part                    \xe2\x80\xa2   Inspected the STANFINS security plan to          \xe2\x80\xa2   The ATO is signed and dated December\nrepresents the approval of the security plan as current, is signed        determine whether the plan was current.              12, 2003. However, subsequent changes\nby the Director, Information and Technology, a designated                                                                      to the STANFINS infrastructure have\napproval authority, and is current. It is the responsibility of the                                                            made the System Description in Appendix\nSTANFINS Program Manager to initiate the STANFINS                                                                              E of the SSAA \xe2\x80\x93 Information System\nrecertification and reaccreditation at least every three years.                                                                Security Policy outdated. Specifically,\n                                                                                                                               description is outdated showing\n                                                                                                                               multiple DECCs supporting\n                                                                                                                               STANFINS.\nControl Activity:\nSP-3.1 A security management structure has been established.\nDISA\nThe DISA Computing Services Security Handbook defines the \xe2\x80\xa2               Inquired of Security Branch Chief and            \xe2\x80\xa2   No exceptions noted.\nresponsibilities of the Directors, DISA Security Officer, DISA            inspected an organizational chart to determine\nDesignated Approval Authority, DISA Certification Authority,              whether a person was appointed with specific\nCommander of DISA Computing Services, Chief of the Field                  responsibility for security.\nSecurity Officer, DISA Computing Services Security Manager\n(SM), DISA Computing Services Information Systems Security\nOfficer (ISSO), Network Security Officer (NSO), and TASO.\n\nThe DISA DECC security plan also outlined the                         \xe2\x80\xa2   Inquired of Security Branch Chief and            \xe2\x80\xa2   No exceptions noted.\nresponsibilities of the appointed DISA DECC SM, ISSM,                     inspected an organizational chart to determine\nNSO, and Information Systems Security Officers.                           whether the security appointee was\n                                                                          subordinate to STANFINS management or a\nDISA DECC appoints a primary security official, the ISSM/IA               major user.\n\n\n                                                                                   35\n\x0cControl Description                                          Tests of Operating Effectiveness                    Results of Tests of Operating Effectiveness\nManager (IAM)/NSO.                                                                                               \xe2\x80\xa2   No exceptions noted.\n                                                             \xe2\x80\xa2   Inspected the DISA DECC Security Plan to\n                                                                 determine whether it outlined security\n                                                                 responsibilities as described in the Control\n                                                                 Description.\nDFAS\nThe responsibilities of the ISSM at the PMO/TSO, ISSO, and   \xe2\x80\xa2   Inquired of the ISSO/TASO and inspected an      \xe2\x80\xa2   No exceptions noted.\nTASOs at DFAS sites are established and documented.              organizational chart to determine whether a\n                                                                 person was appointed with specific\n                                                                 responsibility for security.\n\n                                                             \xe2\x80\xa2   Inquired of the ISSO/TASO and inspected an      \xe2\x80\xa2   At DFAS San Antonio, DFAS Pacific,\n                                                                 organizational chart to determine whether the       DFAS Seaside, DFAS Denver and DFAS\n                                                                 security appointee was subordinate to               Indianapolis, the TASO/security\n                                                                 STANFINS management or a major user.                appointee was subordinate to STANFINS\n                                                                                                                     management.\n                                                             \xe2\x80\xa2   Inquired of the ISSO to assess whether owners   \xe2\x80\xa2   No exceptions noted.\n                                                                 and users of the system were aware of the\n                                                                 security structure.\n\n\n\n\n                                                                          36\n\x0cControl Description                                              Tests of Operating Effectiveness                      Results of Tests of Operating Effectiveness\nControl Activity:\nSP-3.2 Information security responsibilities are clearly assigned.\nDISA\nDISA DECC appoints a primary security official, the               \xe2\x80\xa2   Inquired of Security Branch Chief and            \xe2\x80\xa2   No exceptions noted.\nISSM/IAM/NSO. Additionally, generic job descriptions for IT           inspected the DISA DECC Security Plan to\nSpecialists in the Security Division and Operations Security          determine whether security responsibilities\nBranch document baseline responsibilities for different               and expected behaviors were clearly defined\npositions and include an outline of security responsibilities and     and documented.\nprohibited activities.\n\nDISA DECC position appointment letters include the position      \xe2\x80\xa2    Inspected the position descriptions for key IT   \xe2\x80\xa2   No exceptions noted.\ndescriptions for Security Division personnel who work directly        positions relevant to STANFINS to determine\nwith the STANFINS application. Position appointment letters           whether security responsibilities were clearly\nare used when additional responsibilities are assigned to DECC        assigned.\npersonnel. The appointment letter details the employees\xe2\x80\x99 new\nroles and duties and the timeframe for which the position will\nbe held.\nDFAS\nDFAS sites have organizational charts, job descriptions, and     \xe2\x80\xa2    Inquired of ISSO and inspected                   \xe2\x80\xa2   At DFAS Rome, job descriptions did not\nstandard operating procedures that outline security                   documentation, including standard operating          address specific job duties and/or\nresponsibilities for IT personnel.                                    procedures and position descriptions for key         prohibited activities.\n                                                                      IT personnel, to determine whether security\n                                                                      responsibilities and expected behaviors were\n                                                                      clearly defined, assigned, and documented.\n\n\n\n\n                                                                               37\n\x0cControl Description                                               Tests of Operating Effectiveness                      Results of Tests of Operating Effectiveness\nControl Activity:\nSP-3.3 Owners and users are aware of security policies.\nDISA\nDISA DECC follows the guidelines prescribed in DISA               \xe2\x80\xa2   Inquired of Security Branch Chief as to the       \xe2\x80\xa2   No exceptions noted.\nInstruction 630-230-19 and the DISA Computing Services                procedure to make data owners and system\nHandbook for providing training to DISA DECC staff.                   users aware of their security responsibilities.\n\nDISA DECC personnel must take security awareness training,        \xe2\x80\xa2   Inspected the training materials to determine     \xe2\x80\xa2   DISA DECC-St. Louis employees had not\nworkplace violence training, and anti-terrorism training before       the topics covered. For all employees,                received annual security awareness\ngaining access to any system.                                         inspected training documentation that                 training since October 12, 2003.\n                                                                      supported attendance of security awareness\n                                                                      training.\nSecurity awareness posters throughout the DECC facility\n                                                                  \xe2\x80\xa2   Observed the posters throughout the DECC          \xe2\x80\xa2   No exceptions noted\nillustrate various security related topics (i.e., viruses,\n                                                                      facilities to verify that security topics were\nfreeware/shareware, unique passwords, etc.).\n                                                                      communicated.\n\n                                                                  \xe2\x80\xa2   For IT employees who work with STANFINS,          \xe2\x80\xa2   No exceptions noted\nDISA DECC employees must sign a non-disclosure agreement              inspected confidentiality/security agreements\nform, which represents an acknowledgement of employees\xe2\x80\x99               to determine if they were signed.\nunderstanding and acceptance of confidential information\ndisclosure restrictions and requirements.\n\n\n\n\n                                                                                38\n\x0cControl Description                                              Tests of Operating Effectiveness                     Results of Tests of Operating Effectiveness\nDFAS\nDFAS sites coordinate new users\xe2\x80\x99 security awareness training     \xe2\x80\xa2   Inquired of ISSO/TASO as to the procedure to     \xe2\x80\xa2   Four out of ten DFAS field sites (DFAS\ndesigned to provide an overview of the security structure at         make data owners and system users aware of           Pacific, DFAS Japan, DFAS Denver and\nDFAS and other important topics relevant to security. Existing       their security responsibilities. Inspected the       DFAS San Antonio) had no training plans\nemployees must take an annual refresher security awareness           Information Assurance Training and                   in place. Two out of ten DFAS field sites\ntraining to keep abreast of security related topics.                 Certification Plan to determine guidelines for       (DFAS Orlando and DFAS Columbus)\n                                                                     training.                                            did not track attendance.\nDFAS sites send monthly security highlights via e-mail to keep\nemployees abreast of security related topics.                                                                         \xe2\x80\xa2   There was no DFAS-wide IT Technical\n                                                                                                                          Training policy that outlined ongoing\nEach new employee fills out attendance listings as evidence                                                               training requirements for personnel in IT-\nthat they have completed the security awareness training.                                                                 related positions. As a result, it was left\n                                                                                                                          to each DFAS field site to determine the\n                                                                                                                          level of training required for IT-related\n                                                                                                                          positions, and attendance was not tracked\n                                                                                                                          at every site.\n\n                                                                 \xe2\x80\xa2   Inspected the training materials to determine    \xe2\x80\xa2   No exceptions noted.\n                                                                     whether topics covered addressed security\n                                                                     awareness training requirements.\n\n                                                                 \xe2\x80\xa2   Inquired of PMO, TSO, and DFAS field site        \xe2\x80\xa2   Four out of the ten DFAS field sites had\n                                                                     management and inspected security awareness          issues with security awareness training\n                                                                     training attendance listings and other tools         attendance:\n                                                                     used to track course completion to determine         \xe2\x80\xa2 DFAS Columbus did not centrally\n                                                                     whether employees were receiving security                 track who had attended training.\n                                                                     awareness training.\n                                                                                                                          \xe2\x80\xa2 DFAS Rome did not centrally track\n                                                                                                                               who had attended said training;\n                                                                                                                               training was overdue for 22 of 26 new\n                                                                                                                               hires.\n                                                                                                                          \xe2\x80\xa2 At DFAS San Antonio, eight out of\n                                                                                                                               33 current user access forms did not\n                                                                                                                               have a training certificate of\n                                                                                                                               completion on file.\n                                                                                                                          \xe2\x80\xa2 At DFAS Seaside, 13 out of 31\n                                                                                                                               current user access forms did not\n                                                                                                                               complete their annual security\n                                                                                                                               awareness training.\n\n\n\n                                                                              39\n\x0cControl Description                                             Tests of Operating Effectiveness                    Results of Tests of Operating Effectiveness\nControl Activity:\nSP-3.4 An incident response capability has been implemented.\nDISA\nThe Regional Computer Emergency Response Team has               \xe2\x80\xa2 Inquired of the Network Security                  \xe2\x80\xa2   No exceptions noted.\ndocumented incident response procedures (Security Directive         Administrator and the Information Assurance\n#00-1) and uses the DISA Computing Services Handbook for            Officer and inspected incident response\nguidance on handling incidents (virus, malicious code, etc.),       policies and procedures to determine whether\nreporting structure (local and regional), and prioritization of     the incident response capability was\nincidents. An Information Assurance Categories listing              documented as required by NIST 800-61.\nprovides classification guidance for individuals to report\ninformation security incidents. DISA DECC-Mechanicsburg         \xe2\x80\xa2 Inspected the Information Assurance               \xe2\x80\xa2   No exceptions noted.\nhas a help desk available for customers to call, e-mail, or         Categories listing to determine whether\notherwise communicate incidents.                                    classification guidance for individuals to\n                                                                    report information security incidents was\n                                                                    documented.\n\n                                                                \xe2\x80\xa2   Observed the DISA DECC help desk function       \xe2\x80\xa2   No exceptions noted.\n                                                                    to note whether an appropriate help desk\n                                                                    function was in place within DISA DECC-\n                                                                    Mechanicsburg and DISA DECC-St. Louis.\nDFAS\nThe STANFINS incident response policy is detailed in the         \xe2\x80\xa2 Inquired of the ISSM and TSO personnel and       \xe2\x80\xa2   The incident response plan did not include\nSSAA. The incident response plan describes procedures to           inspected incident response policies and             awareness training for individuals with\nmitigate security threats to the STANFINS system, types of         procedures in the SSAA to determine whether          access to the system that addresses how to\nreportable incidents, and specifies designated staff members       the incident response capability had                 use the system\xe2\x80\x99s incident response\nresponsible for each type of potential incident. Network           characteristics required by NIST 800-61.             capability.\nsecurity violations and internal control weaknesses are reported\nto the ISSO and password compromises are reported to the\nTASO. The plan outlines a specified, centralized reporting\nprocedure for reportable security incidents.\nControl Activity:\nSP-4.1 Hiring, transfer, termination, and performance policies address security.\nDISA\nThe DISA Computing Services Security Handbook prescribes         \xe2\x80\xa2 Inquired of Security Branch Chief to note        \xe2\x80\xa2   No exceptions noted.\nguidelines addressing personnel security controls and addresses    whether hiring, transfer, termination policies\nposition sensitivity designations, documenting and updating        addressed security.\ndesignations, investigation and reinvestigation requirements,\nand adjudication and clearance procedures. The DISA              \xe2\x80\xa2 Inquired of Security Branch Chief to note the    \xe2\x80\xa2   No exceptions noted.\n\n\n\n                                                                             40\n\x0cControl Description                                                Tests of Operating Effectiveness                     Results of Tests of Operating Effectiveness\nComputing Services Handbook also addresses the termination             background investigation process for new and\nprocess for all DISA DECC employees.                                   current employees. Inspected Computing\n                                                                       Services Handbook to determine whether it\n                                                                       addressed these processes.\n\n                                                                   \xe2\x80\xa2   Inspected all IT staff personnel records to      \xe2\x80\xa2   DISA DECC-St. Louis had three out of\n                                                                       determine whether authorized personnel               eight employees that had separated from\n                                                                       contacted references, performed background           the facility without exit records on file,\n                                                                       checks, and filed appropriate documentation          therefore allowing users to potentially\n                                                                       on separated employees.                              retain access to sensitive areas within the\n                                                                                                                            computing center.\n                                                                   \xe2\x80\xa2   For IT employees who work with STANFINS,\n                                                                       inspected confidentiality/security agreements    \xe2\x80\xa2   DISA DECC-St. Louis did not possess\n                                                                       to determine if they were signed.                    signed confidentiality/ security\n                                                                                                                            agreements for three of 15 employees.\nDFAS\nHuman Resources follows policies and procedures prescribed         \xe2\x80\xa2   Inquired of ISSO and Recruitment Chief to        \xe2\x80\xa2   No exceptions noted.\nby the Office of Personnel Management (OPM), and uses DoD              note whether hiring, transfer, and termination\nguidelines and DFAS regulations as supplementary sources for           policies and procedures addressed security.\nhiring, performance of background checks, transfer, and                Inspected the OPM guidance that Human\ntermination of employees.                                              Resources follows to determine whether\n                                                                       procedures addressed OPM policies and\nAll new employees must undergo DFAS New Employee                       procedures.\nOrientation and complete required security related on-boarding\ntasks, including a security and safety briefing and Personal       \xe2\x80\xa2   Inspected materials used for New Employee        \xe2\x80\xa2   No exceptions noted.\nIdentification Number (PIN) identification for Common Access           Orientation and Out-Processing to determine\nCards (CACs). Authorized personnel conduct and document                whether security content was included.\nbackground investigations.\n                                                                   \xe2\x80\xa2   Inquired of ISSO and Recruitment Chief to        \xe2\x80\xa2   Positions at DFAS-Rome are SF-85P\nEmployees must undergo an \xe2\x80\x9cOut-Processing\xe2\x80\x9d clearance\n                                                                       determine the background investigation               Non-Critical Sensitive and new hires did\nprocedure if terminated or transferred from DFAS sites. A\n                                                                       process for new and current employees.               not sign a security or confidentiality\nform is completed identifying application access privileges that\n                                                                       Inspected IT personnel records to determine          agreement. DFAS-Denver did not\nneed to be deleted. Also, the ISSO must sign and complete a\n                                                                       whether references were contacted and                maintain information supporting the level\nsecurity access worksheet. This worksheet details the type of\n                                                                       background checks performed and/or                   of background investigation for any of the\naccess the employee was granted, date system access was\n                                                                       confidentiality agreements were complete.            15 accounting and IT personnel.\napproved, security initials, and date terminated.\n\n                                                                   \xe2\x80\xa2   For recently terminated employees, inspected     \xe2\x80\xa2   DFAS San Antonio did not maintain\n\n\n\n                                                                                41\n\x0cControl Description                                                Tests of Operating Effectiveness                      Results of Tests of Operating Effectiveness\n                                                                       the corresponding Out-Processing documents           signed Out-Processing documents for all\n                                                                       to determine whether they were completed.            separated employees.\n\nControl Activity:\nSP-4.2 Employees have adequate training and expertise.\nDISA\nDISA DECC has implemented \xe2\x80\x9cCertification Program for               \xe2\x80\xa2   Inquired of the Security Branch Chief and         \xe2\x80\xa2   No exceptions noted.\nSystem Administrators\xe2\x80\x9d and \xe2\x80\x9cInformation Systems Service                inspected the DISA Computing Services\nProviders.\xe2\x80\x9d The program, dated August 2002, and the DISA               Handbook to determine whether a program\nComputing Services Handbook, outline several different                 was in place to provide adequate training to IT\ncertification courses that system administrators should take           personnel.\ndepending on their designated level.\n                                                                   \xe2\x80\xa2   For IT employees, inspected training records      \xe2\x80\xa2   DISA DECC-St. Louis had one IT\nIT personnel are allowed to take technical training classes            to determine courses taken.                           employee that did not receive any IT\noutside of DISA DECC programs as long as the training                                                                        technical training since entering the\nprogram is within budget and is justifiable based on job                                                                     position (ACF2 Administrator) in\nresponsibility/position requirements.                                                                                        December 2003.\nPersonnel maintain training documentation in individual\n                                                                                                                         \xe2\x80\xa2   DISA DECC-St. Louis had not provided\npersonnel files.\n                                                                                                                             employees annual security awareness\n                                                                                                                             training since October 12, 2003.\nDFAS\nDFAS uses DoD directive 8500.1 and Instruction 8500.2 \xe2\x80\x93            \xe2\x80\xa2   Inquired of Assistant Network Security            \xe2\x80\xa2   Of the ten DFAS field sites, DFAS-\n\xe2\x80\x9cInformation Assurance Training, Certification, and Workforce          Officer, the ISSM, and PMO and TSO                    Pacific, DFAS-Japan, DFAS-Denver and\nManagement\xe2\x80\x9d for training direction. This guidance describes            personnel to determine the structure of the           DFAS-San Antonio did not have training\ntraining requirements for system administrators, as well as            training program in place. Inspected DoD              plans in place. Of the ten DFAS field\nProgram Managers, ISSMs, ISSOs, and TASOs, and addresses               directive 8500.1, 8500.2, and the IT Technical        sites tested, DFAS-Orlando and DFAS-\nthe information assurance training requirements for end-users.         Training Program to determine whether a               Columbus did not track training\n                                                                       program was in place to provide adequate              attendance.\nPersonnel maintain training documentation in individual                training to IT personnel.\npersonnel files, supporting both technical training and security                                                         \xe2\x80\xa2   There was no DFAS-wide IT Technical\nawareness training.                                                                                                          Training policy that outlined ongoing\n                                                                                                                             training requirements for personnel in IT-\n                                                                                                                             related positions. As a result, each DFAS\n                                                                                                                             field site determined the level of training\n                                                                                                                             required for IT-related positions, and\n                                                                                                                             attendance was not tracked at every site.\n\n\n\n\n                                                                                42\n\x0cControl Description                                           Tests of Operating Effectiveness                     Results of Tests of Operating Effectiveness\n                                                                                                                   \xe2\x80\xa2 Of the ten DFAS field sites, DFAS San\n                                                                                                                      Antonio did not have an annual technical\n                                                                                                                      IT training program in place for system\n                                                                                                                      administrators.\n\n                                                              \xe2\x80\xa2   Inspected job descriptions for IT personnel      \xe2\x80\xa2   No exceptions noted.\n                                                                  and compared it with their educational\n                                                                  backgrounds and experiences to determine\n                                                                  adequacy.\n\n                                                              \xe2\x80\xa2   For IT personnel, inspected technical training   \xe2\x80\xa2   Of the ten DFAS field sites (DFAS-\n                                                                  records to determine completion of courses.          Pacific) a TASO had not taken training\n                                                                                                                       for two years and another TASO had not\n                                                                                                                       taken training for three years.\n\n                                                                                                                   \xe2\x80\xa2   Of the ten sites visited, DFAS-San\n                                                                                                                       Antonio, DFAS-Orlando and DFAS-\n                                                                                                                       Columbus did not track completion of IT\n                                                                                                                       technical training.\nControl Activity:\nSP-5.1 Management periodically assesses the appropriateness of security policies and compliance with them\nDISA\nDISA\xe2\x80\x99s FSO performs SRRs as a part of its IA review and        \xe2\x80\xa2 Inquired of Security Branch Chief to note the     \xe2\x80\xa2   No exceptions noted.\ncertification and accreditation process once every two years.    methods used to assess compliance with\nThe SRR is an evaluation against DoD STIGs and DoD               security policy.\nguidance and policies. Recertification must occur if there are\nany major upgrades, changes, or breaches. Also, DISA DECC- \xe2\x80\xa2 Inspected the DISA DECC-St. Louis                     \xe2\x80\xa2   No exceptions noted.\nSt. Louis performs similar tests (using the same evaluation      mainframe and network platform STIGs to\ncriteria) on a more frequent basis to monitor compliance.        determine whether security configuration\n                                                                 requirements were documented.\nAdditionally, DISA\xe2\x80\x99s FSO conducts annual penetration testing.\nDISA DECC-St. Louis conducts penetration testing\n                                                               \xe2\x80\xa2 Inspected the network and mainframe platform      \xe2\x80\xa2   No exceptions noted.\napproximately every two months, or more frequently if\n                                                                 SRRs to determine whether management\nnecessary, to ensure that DECC systems information assurance\n                                                                 assessed compliance with security policies.\ncapabilities continue to provide adequate assurance against\nconstantly evolving threats.\nDFAS\nThe PMO prepares a STANFINS-specific Federal Managers\xe2\x80\x99        \xe2\x80\xa2   Inquired of the ISSM, PMO and TSO staffs to      \xe2\x80\xa2   No exceptions noted.\n\n\n                                                                           43\n\x0cControl Description                                             Tests of Operating Effectiveness                   Results of Tests of Operating Effectiveness\nFinancial Integrity Act (FMFIA) report once a year. DFAS            determine whether they developed processes\nArlington, Virginia prepares a Federal Information Security         to assess the appropriateness of security\nManagement Act report for all DFAS information systems,             policies.\nincluding STANFINS.\n                                                                \xe2\x80\xa2   Inspected the STANFINS self-assessment of      \xe2\x80\xa2   STANFINS was included in the SSAA\nThe SSAA, the FMFIA Report of 2004, and the Threat and              controls located in the SSAA to verify that        self-assessment scope. However, the\nVulnerabilities Assessment 2003 document the most recent            STANFINS was included in the scope.                SSAA did not meet all the requirements\nself-assessments of STANFINS controls.                                                                                 of DITSCAP and DoD Instruction 8500.2.\n                                                                                                                       Specifically,\nSTANFINS must be re-accredited every three years or sooner                                                             \xe2\x80\xa2 Section 3, \xe2\x80\x9cSystem Architectural\nif the overall security posture of the systems significantly                                                               Description,\xe2\x80\x9d page 17, did not meet\nchanges.                                                                                                                   the requirements for a current and\n                                                                                                                           comprehensive baseline inventory of\n                                                                                                                           all software.\n                                                                                                                       \xe2\x80\xa2 Appendix K, \xe2\x80\x9cIncident Response Plan,\n                                                                                                                           did not adequately address several\n                                                                                                                           requirements related to security\n                                                                                                                           awareness of the Incident Response\n                                                                                                                           Plan.\n\n                                                                \xe2\x80\xa2   Inspected the most recent FMFIA reports to     \xe2\x80\xa2   No exceptions noted.\n                                                                    determine whether the PMO completed an\n                                                                    FMFIA report related to STANFINS.\n\n                                                                \xe2\x80\xa2   Inspected the signed Authority to Operate to\n                                                                    determine whether a C&A was completed in       \xe2\x80\xa2   No exceptions noted.\n                                                                    the past three years.\nControl Activity:\nSP-5.2 Management ensures that corrective actions are effectively implemented.\nDISA\nDISA DECC maintains a Plan of Action and Milestones           \xe2\x80\xa2 Inquired of Security Branch Chief as to the        \xe2\x80\xa2   No exceptions noted.\n(POAM) that tracks all issues identified through SRR reviews      process for recording corrective actions that\nincluding specific weaknesses, resources needed to implement      need to be implemented.\ncorrective actions, progress in addressing weaknesses, and\nscheduled completion basis. It is the responsibility of the   \xe2\x80\xa2 Inspected the POAM to determine whether            \xe2\x80\xa2   No exceptions noted.\nDISA DECC primary security official to send a status to DISA      review findings and associated corrective\nFSO to update their progress on the POAM issues.                  actions were documented.\n\n\n\n\n                                                                             44\n\x0cControl Description                                           Tests of Operating Effectiveness                    Results of Tests of Operating Effectiveness\nAdditionally, summary level results of the most recent SRRs   \xe2\x80\xa2 Inspected summary level results of the most       \xe2\x80\xa2 No exceptions noted.\nare tracked through resolution in the Vulnerability               recent SRRs in VMS for the ASIMS domains\nManagement System (VMS).                                          and DECC network to determine whether\n                                                                  SRRs were tracked.\nDFAS\nA matrix is used to follow up on the FMFIA Report. The        \xe2\x80\xa2   Inspected the FMFIA Report matrix to            \xe2\x80\xa2   No exceptions noted.\nmatrix identifies potential weaknesses. A testing matrix          determine whether review findings and\nidentifies control standards, evaluation methodology, and         associated corrective actions were documented\nevaluation results for management controls.\n\n\n\n\n                                                                           45\n\x0cAccess Control (AC) \xe2\x80\x93 Logical Security\n\nControls provide reasonable assurance that logical access to the STANFINS application, as well as the underlying operating systems and network\nresources, are restricted to properly authorized individuals.\n\nControl Description                                             Tests of Operating Effectiveness                    Results of Tests of Operating Effectiveness\nControl Activity:\nAC-1.1 Resource classifications and related criteria have been established.\nDFAS\nDFAS has documented and communicated Service-wide and             \xe2\x80\xa2 Inquired of TSO and PMO management and          \xe2\x80\xa2   No exceptions noted.\nSTANFINS-related policies, procedures, and guidance                 inspected the application security plans to\naddressing resource classification and associated security          determine whether a specific level of control\nrequirements as a part of the STANFINS SSAA. The SSAA               (classification) was assigned to systems and\nidentifies STANFINS as a MAC III system and documents the           resources based on the degree of the need to\nresources required to preserve the confidentiality, reliability,    preserve confidentiality, reliability, and\nand availability of STANFINS data. Additionally, the SSAA           availability..\ncontains an evaluation of existing policies and procedures,\nvulnerabilities, and weaknesses and data flows. It also\nprovides a summary of areas of potential risk that relate to\nSTANFINS recommendations and safeguards that can be\napplied to reduce risks and vulnerabilities exploitable by threat\nsources.\nControl Activity:\nAC-1.2 Owners have classified resources.\nDFAS\nDFAS has documented and communicated Service-wide and             \xe2\x80\xa2 Inquired of TSO and STANFINS PMO                \xe2\x80\xa2   No exceptions noted.\nSTANFINS-related policies, procedures, and guidance                 management and inspected documentation to\naddressing resource classification and associated security          determine whether system owners had\nrequirements as a part of the STANFINS SSAA. The SSAA               classified resources based on criteria and\nidentifies STANFINS as a MAC III system and documents the           whether the classification was in accordance\nresources required to preserve the confidentiality, reliability,    with the specific risk assessment.\nand availability of STANFINS data. Additionally, the SSAA\ncontains an evaluation of existing policies and procedures,       \xe2\x80\xa2 Inspected the risk assessment for STANFINS\nvulnerabilities, weaknesses and data flows. It also provides a      and the applicable GSS to determine whether\nsummary of areas of potential risk that relate to STANFINS, as      a risk assessment was conducted based on\nwell as recommendations and safeguards that can be applied to       NIST 800-30 and DoD Instruction 8500.2.\nreduce risks and vulnerabilities.\nControl Activity:\nAC-2.1 Resource owners have identified authorized users and their access authorized.\n\n\n\n                                                                              46\n\x0cControl Description                                                 Tests of Operating Effectiveness                  Results of Tests of Operating Effectiveness\nDISA\nThe DISA Computing Services Security Handbook details               \xe2\x80\xa2   Inspected policies and procedures for         \xe2\x80\xa2   No exceptions noted.\ngranting access to system resources.                                    granting and monitoring access to\n                                                                        STANFINS IT resources.\nUsers at the DISA DECC-St. Louis have access to STANFINS\napplication production files and data as necessary to support       \xe2\x80\xa2   Inquired of DISA DECC-St. Louis Security      \xe2\x80\xa2   No exceptions noted.\nsystem operation and respond to customer requests. DECC                 Division Branch Chief to determine the\nusers also have access to the mainframe GSS where the                   process for granting access to STANFINS.\napplication resides. The DECC is responsible for creating and\nmaintaining DECC user accounts, as well as DFAS ISSO and\n                                                                    \xe2\x80\xa2   Inspected access control procedures to        \xe2\x80\xa2   No exceptions noted.\nTASO accounts at customer sites. The local ISSO/TASO is\n                                                                        determine whether the process for granting,\nresponsible for creating and maintaining user accounts at\n                                                                        monitoring, and removing access to\ncustomer sites.\n                                                                        STANFINS followed Federal (NIST SP 800-\n                                                                        26 \xe2\x80\x93 Logical Access) and DoD guidance\nUsers at the DECC (the majority of which are system software\n                                                                        (DoD Instruction 8500.2 \xe2\x80\x93 Remote Access,\nmaintenance personnel) requiring access to the mainframe\n                                                                        Access Procedures, Access Control Policies,\nenvironment complete a form DD 2875 \xe2\x80\x9cSystem Authorization\n                                                                        Contractor and Foreign Nationals Access,\nAccess Request,\xe2\x80\x9d used for initial access requests, as well as for\n                                                                        Comprehensive Account Management, Least\nchanges to an account. An authorized supervisor must sign this\n                                                                        Privilege Procedures, Classified Data\nform indicating approval of the access. Users must possess a\n                                                                        Protection).\nsecurity clearance commensurate with the classification level\nof the system in order to obtain access. Passwords are\ncommunicated to users via secure means, either in person or         \xe2\x80\xa2   Inspected access forms for a random sample    \xe2\x80\xa2   At DISA DECC-St. Louis, we selected 42\nvia e-mail using separate e-mails to transmit user ID and               of users of STANFINS (at the application          users out of 1441 and requested their user\npassword.                                                               and network level) to determine whether           access request form packets. Out of the\n                                                                        management authorized access.                     sample of 42 packets:\nThe Remote Access Service (RAS) server connections provide                                                                \xe2\x80\xa2 One user did not have a completed\ndirect dial-in access to the network. DECC users requesting                                                                   access request form;\nremote access must submit an approved access request form                                                                 \xe2\x80\xa2 Three individuals had at least one\n(Form DD 2875). Remote access is granted to users with a                                                                      access request form without a Security\nvalid need, which must be approved by a supervisor, to access                                                                 representative\xe2\x80\x99s signature certifying\nthe network remotely. Typically, users are granted remote                                                                     that the individual\xe2\x80\x99s background\naccess in order to respond quickly to emergency situations and                                                                checks/security clearances were\nresolve problems when not at the DECC facility. After                                                                         appropriate;\nreceiving an approved remote access request, the Security                                                                 \xe2\x80\xa2 Six individuals had at least one access\nDivision staff adds the user to the RAS server.                                                                               request form where the user\n                                                                                                                              acknowledgement portion was not\n                                                                                                                              signed.\n\n\n\n                                                                                 47\n\x0cControl Description                                              Tests of Operating Effectiveness                   Results of Tests of Operating Effectiveness\n\n                                                                 \xe2\x80\xa2   Inquired of DISA DECC-St. Louis Security\n                                                                     Division Branch Chief regarding policies and   \xe2\x80\xa2   DISA DECC-St. Louis did not have a\n                                                                     procedures for recertifying users access in        process for recertifying user access to\n                                                                     STANFINS.                                          STANFINS.\n\n                                                                 \xe2\x80\xa2   Obtained and inspected the access control\n                                                                     listing (ACL) for STANFINS to determine        \xe2\x80\xa2   Two separated employees retained access\n                                                                     whether terminated employees had access.           to one or more of the domains where\n                                                                                                                        STANFINS resides.\n                                                                 \xe2\x80\xa2   Inspected ACL to determine whether\n                                                                     duplicate accounts existed.\n                                                                                                                    \xe2\x80\xa2   No duplicate accounts were identified.\n                                                                 \xe2\x80\xa2   Inspected an ACL of remote users to                However, three accounts on the Far East\n                                                                     determine whether management limited,              domain had no user name associated with\n                                                                     documented, and approved access.                   the ACF2 ID (ACID).\n\n                                                                                                                    \xe2\x80\xa2   Remote access to the DISA DECC-St.\n                                                                                                                        Louis mainframes via telnet was not\n                                                                                                                        restricted and not secured via encryption.\nDFAS\nThe Procedures for ASIMS Access Controls details policies on     \xe2\x80\xa2   Inspected DFAS policies and procedures to      \xe2\x80\xa2   Of the four DFAS sites tested, DFAS-\nsecurity access responsibilities and the process to grant user       determine whether guidance was established         Indianapolis (PMO and TSO), DFAS-\naccess to STANFINS. DFAS uses user access forms to                   to outline ELAN administrator security             Pacific, DFAS-Japan and DFAS-Rome\ndocument the establishment, modification, deletion, or               responsibilities.                                  stated that there was no DFAS service-\nsuspension of access to STANFINS IT resources, including the                                                            wide policy or guidance document\nSTANFINS application and the ELAN that DFAS                                                                             outlining local ELAN administrator\nadministrative and field sites use to gain access to STANFINS.                                                          security responsibilities versus those of\n                                                                                                                        centralized groups responsible for the\nThe ELAN administrator, prior to establishing a network user                                                            administration/ monitoring of DFAS-wide\nID and password, must approve and sign the access request                                                               network security.\nform. For some sites, a separate security group approves the\nform via signature.\n\nUsers must have a TAPS account in order to access the            \xe2\x80\xa2   Inspected access control procedures to         \xe2\x80\xa2   DFAS field sites did not have the technical\nSTANFINS application. The local TASO/ISSO is responsible             determine whether the process for granting,        knowledge to generate STANFINS and\nfor security administration, including the assignment of TAPS        monitoring, and removing access to                 TAPS user access lists directly from the\naccounts. The ISSO creates user accounts for                         STANFINS and GSS followed Federal                  security system. As a result, of the ten\nTAPS/STANFINS through a tool called VASS. For the                    (NIST SP 800-26 \xe2\x80\x93 Logical Access) and DoD          DFAS field sites, DFAS-Rome, DFAS-\n\n\n                                                                              48\n\x0cControl Description                                              Tests of Operating Effectiveness                 Results of Tests of Operating Effectiveness\nmajority of DFAS field sites, Microsoft Excel spreadsheet,           guidance (DoD Instruction 8500.2 \xe2\x80\x93 Remote        Denver, DFAS-San Antonio, DFAS-\nAccess database, or other manual means of tracking are used to       Access, Access Procedures, Access Control        Lawton, DFAS-Columbus, DFAS-\nidentify STANFINS/TAPS users, TAPS mode profiles, and                Policies, Contractor and Foreign Nationals       Indianapolis and DFAS-Pacific, DFAS-\nassigned TAPS modes. At DFAS-Orlando and DFAS-Japan,                 Access, Comprehensive Account                    Seaside DFAS field sites could not:\nTASOs/ISSOs generate ACF2-native listings to identify and            Management, Least Privilege Procedures,          \xe2\x80\xa2 Identify all TAPS modes (access\ntrack who has access to TAPS and STANFINS.                           Classified Data Protection).                         privileges) assigned to users;\n                                                                                                                      \xe2\x80\xa2 Determine whether users had\nThe DFAS Information System Security Plan (ISSP) provides                                                                 inappropriate access to TAPS modes,\nguidance in conducting monthly recertifications of STANFINS                                                               based on job responsibilities; and\nand ELAN accounts. The ISSO is responsible for providing\n                                                                                                                      \xe2\x80\xa2 Determine whether manually derived\neach supervisor with a STANFINS user access list. The\n                                                                                                                          and maintained access control lists\nsupervisor is responsible for validating and authorizing user\n                                                                                                                          accurately reflected the user\naccess.\n                                                                                                                          population.\nRemote network access is granted to users with a valid need,\nwhich must be approved by a supervisor, to access the network                                                     \xe2\x80\xa2   Of the ten DFAS field sites, nine field sites\nremotely via Defense Internet Service Provider (DISP)                                                                 (DFAS-Rome, DFAS-Denver, DFAS-\naccounts.                                                                                                             Lawton, DFAS-San Antonio, DFAS-\n                                                                                                                      Columbus, DFAS-Seaside, DFAS-\n                                                                                                                      Indianapolis, DFAS-Pacific and DFAS-\n                                                                                                                      Japan) either used locally developed or had\n                                                                                                                      not documented procedures for granting,\n                                                                                                                      approving, monitoring, recertifying, and\n                                                                                                                      removing user access to STANFINS and\n                                                                                                                      the ELAN.\n\n                                                                 \xe2\x80\xa2   Inspected access forms for a random sample   \xe2\x80\xa2   Six of ten DFAS user sites did not have\n                                                                     of users of STANFINS (at the application         complete or existing authorizations for\n                                                                     and network level) to determine whether          STANFINS users:\n                                                                     management authorized access.                    DFAS-Denver:\n                                                                                                                      \xe2\x80\xa2 18 STANFINS user access forms did\n                                                                                                                          not have an ELAN Account Request\n                                                                                                                          Form on file.\n                                                                                                                      DFAS-Pacific:\n                                                                                                                      \xe2\x80\xa2 Justification for STANFINS user\n                                                                                                                          access was pre-populated on user\n                                                                                                                          access forms by the TASOs and may\n                                                                                                                          not support actual needs.\n\n\n\n                                                                              49\n\x0cControl Description   Tests of Operating Effectiveness   Results of Tests of Operating Effectiveness\n\n                                                             \xe2\x80\xa2  The functional data owner\xe2\x80\x99s signature\n                                                                was missing from TAPS user request\n                                                                forms on two of the eight forms\n                                                                inspected.\n                                                             DFAS-Japan:\n                                                             \xe2\x80\xa2 Four out of 31 ELAN access request\n                                                                forms that users filled out in 1998 did\n                                                                not have an approval (signature).\n                                                             \xe2\x80\xa2 Two external ELAN users had not\n                                                                signed user agreements.\n                                                             \xe2\x80\xa2 Seven out of 53 DD 2875/DISA 41\n                                                                forms did not contain a business\n                                                                reason for the access request.\n                                                             \xe2\x80\xa2 One out of 53 DD 2875/DISA 41\n                                                                forms did not contain a business case\n                                                                that adequately explained the\n                                                                reasoning for the access request.\n                                                             \xe2\x80\xa2 One out of 26 DISP User Access\n                                                                Request forms could not be found.\n                                                             \xe2\x80\xa2 Two out of 26user access forms were\n                                                                not signed by the TASO.\n                                                             \xe2\x80\xa2 One out of 26 user access forms did\n                                                                not contain a supervisor signature or a\n                                                                business case justification.\n                                                             DFAS-Rome:\n                                                             \xe2\x80\xa2 Three out of 30 user access forms did\n                                                                not have authorization documentation\n                                                                available.\n                                                             \xe2\x80\xa2 11 of 29 users with DISP accounts did\n                                                                not have a DISP user access request\n                                                                form with the appropriate approvals\n                                                                and/or justification. Two of these\n                                                                users had STANFINS accounts.\n                                                             DFAS-San Antonio:\n                                                             \xe2\x80\xa2 32 out of 41 LAN user access forms\n                                                                did not have an access request form on\n                                                                file.\n\n\n                                   50\n\x0cControl Description   Tests of Operating Effectiveness                 Results of Tests of Operating Effectiveness\n                                                                           DFAS-Seaside:\n                                                                           \xe2\x80\xa2  68 of 72 access request forms did not\n                                                                              include an adequate business\n                                                                              reason/justification for the access\n                                                                              requested.\n                                                                           \xe2\x80\xa2 46 of 72 access request forms had a\n                                                                              pre-populated response that included\n                                                                              the type of access the user needed, but\n                                                                              did not justify the access.\n                                                                           \xe2\x80\xa2 Three out of 31 internal LAN users\n                                                                              access forms did not have the\n                                                                              functional data owner\xe2\x80\x99s signature.\n                                                                           \xe2\x80\xa2 14 of 31 internal LAN user access\n                                                                              forms did not have the original user\n                                                                              access request form used to create their\n                                                                              account.\n                                                                           \xe2\x80\xa2 Four of 31 internal user access request\n                                                                              forms were not signed by the\n                                                                              information security officer.\n                                                                           \xe2\x80\xa2 There was no evidence of LAN access\n                                                                              request forms or DISP user access\n                                                                              request forms being used prior to\n                                                                              February 10, 2005.\n\n                      \xe2\x80\xa2   Inquired of DFAS field site ISSOs/TASOs to   \xe2\x80\xa2   DFAS field sites did not have the technical\n                          determine whether DFAS periodically              knowledge to generate STANFINS and\n                          recertified user access levels.                  TAPS user access lists directly from the\n                                                                           security system. At eight out of ten DFAS\n                                                                           field sites (DFAS-Rome, DFAS-Denver,\n                                                                           DFAS-Lawton, DFAS-San Antonio,\n                                                                           DFAS-Columbus, DFAS-Seaside, DFAS-\n                                                                           Indianapolis and DFAS-Pacific), the\n                                                                           ISSOs/TASOs could not determine\n                                                                           whether manually derived and maintained\n                                                                           access control lists accurately reflected the\n                                                                           user population, and therefore could not\n                                                                           accurately perform user recertifications.\n\n\n\n                                   51\n\x0cControl Description                                            Tests of Operating Effectiveness                   Results of Tests of Operating Effectiveness\n\n\n                                                               \xe2\x80\xa2   Inquired of DFAS ISSOs/TASOs, as well as       \xe2\x80\xa2   At DFAS-Japan, DFAS-Lawton, DFAS-\n                                                                   DFAS field site supervisors, and inspected         San Antonio, DFAS-Pacific, DFAS-Rome\n                                                                   user access listings to TAPS/STANFINS to           and DFAS-Seaside, users had access that\n                                                                   determine whether user access was                  was not required by their job\n                                                                   commensurate with job responsibilities.            responsibilities.\nControl Activity:\nAC-2.2 Emergency and temporary access authorization is controlled.\nDFAS and DISA do not have emergency or temporary access        \xe2\x80\xa2 Inquired of DFAS field site ISSOs/TASOs to       \xe2\x80\xa2   No exceptions noted.\naccounts. All user access requests must follow the same access   determine whether the process used to grant\napproval procedures. In cases of emergency, the same access      emergency and temporary access for\nforms are used and procedures followed as a normal access        STANFINS and/or the GSS was the same as\nrequest; the only difference is that the request moves through   the process for granting regular access.\nthe approval process more quickly.\n\nControl Activity:\nAC-3.2 Adequate logical access controls have been implemented.\nCommon Controls3\nDoD workstations are Common Access Card (CAC)                 \xe2\x80\xa2 At three sites, observed use of CAC cards to      \xe2\x80\xa2   Observed instances of users at DFAS-\nconfigured, which means that all employees must enter their     determine security practices.                         Indianapolis, DFAS-Orlando and DFAS-\nCAC card into the CAC card slot of their workstation in order                                                         Columbus did not remove their CAC cards\nto log on to their workstations. A user\xe2\x80\x99s name and ID are                                                             when leaving their workstations.\nassociated with each CAC card. When the user exits his or her\nworkstation and removes the CAC card from the slot of the                                                         \xe2\x80\xa2   At DFAS-Indianapolis, DFAS-Orlando and\nterminal, the workstation automatically locks.                                                                        DFAS-Columbus, CAC card security\n                                                                                                                      settings did not require entry of a password\n                                                                                                                      to \xe2\x80\x9cunlock\xe2\x80\x9d a workstation screensaver if\n                                                                                                                      the CAC card was inserted and after a\n                                                                                                                      period of inactivity.\nDISA\nThe mainframe access control applications CA-ACF2 and CA-      \xe2\x80\xa2   Inquired of Security Division Branch Chief     \xe2\x80\xa2   Minimum password length on each of the\nTop Secret protect the STANFINS application and the system         and Security Administrators and inspected          five ACF2 ASIMS domains and the one\nsoftware it resides on.                                            ACF2 and Top Secret security settings to           Top Secret ASIMS domain were\n                                                                   determine whether the security products were       configured to six characters, while the\n\n\n\n3   Common controls are those controls that a DoD organization other than DISA or DFAS implements, and are commonly applied across both DISA and DFAS.\n\n\n                                                                            52\n\x0cControl Description                                               Tests of Operating Effectiveness            Results of Tests of Operating Effectiveness\nACF2 and Top Secret mainframe security software enforce              securely configured in accordance with       OS/390 STIG required passwords to have a\ndiscretionary access controls. Also, access to shared and            OS/390 STIG guidance to enforce              minimum of eight characters.\nnetworked file systems outside the mainframe environment is          discretionary access controls.\ncontrolled through discretionary access controls enforced\nthrough network access privileges.\n                                                                                                              \xe2\x80\xa2   Users on the Top Secret ASIMS domain\nThe UML (three letter userid prefix designation for DECC                                                          were not required by the system to use a\nusers) Standardization memo establishes user ID rules for                                                         national character (e.g., $, @, #) when\nDECC users. DECC user IDs identify the user\xe2\x80\x99s department, as                                                      creating new passwords, as required by the\nwell as employment status. Additionally, the OS/390 STIG                                                          OS/390 STIG.\nrequires a unique ACF2 or Top Secret user ID for every user.\n                                                                                                              \xe2\x80\xa2   Users on the ACF2 ASIMS domains could\nPasswords are not displayed as a user logs in to the mainframe.                                                   not use their previous four passwords;\nAfter three invalid log-on attempts, ACF2 automatically                                                           users should be restricted from using their\nterminates the session. For the Top Secret domains, Top Secret                                                    previous ten passwords as required by the\nsuspends the user\xe2\x80\x99s account after two invalid log-on attempts.                                                    OS/390 STIG.\nBefore authentication, a warning banner is displayed that\n                                                                                                              \xe2\x80\xa2   The Huntsville ASIMS domain had the\ninforms the user that the system is for authorized use only and\n                                                                                                                  JOBCK setting set to NOJOBCK. This\nthat activity will be monitored. The terminal session\n                                                                                                                  setting did not require ACF2 to verify\nautomatically logs the user off after 15 minutes of inactivity\n                                                                                                                  whether a user submitting a batch job had\nand a screen-lock appears after 15 minutes, which requires the\n                                                                                                                  been granted the authority to submit batch\nuser to re-authenticate in order to regain access.\n                                                                                                                  jobs.\nInactive accounts are suspended after 35 days of inactivity and\n                                                                                                              \xe2\x80\xa2   An individual user was assigned to the\ndeleted after 90 days of inactivity.\n                                                                                                                  Master Central Security Administrator\n                                                                                                                  (MSCA) account on the Top Secret\n                                                                                                                  ASIMS Far East domain. The MSCA\n                                                                                                                  designation allows full system access and\n                                                                                                                  is not required for individual users.\n\n                                                                                                              \xe2\x80\xa2   26 DECC ACF2 accounts on the ASIMS\n                                                                                                                  domains had passwords that did not expire\n                                                                                                                  (MAXDAYS not specified). 147 DECC\n                                                                                                                  Top Secret accounts on the Far East\n                                                                                                                  ASIMS domains had passwords that did\n                                                                                                                  not expire (Password Interval = 0).\n\n\n\n\n                                                                               53\n\x0cControl Description                                   Tests of Operating Effectiveness                   Results of Tests of Operating Effectiveness\n                                                                                                         \xe2\x80\xa2   DECC users had \xe2\x80\x9cWrite\xe2\x80\x9d or \xe2\x80\x9cAllocate\xe2\x80\x9d\n                                                                                                             access to STANFINS production\n                                                                                                             application datasets on two of five ACF2\n                                                                                                             ASIMS domains and the Top Secret\n                                                                                                             ASIMS Far East domain.\n\n                                                      \xe2\x80\xa2   Inspected the UML Standardization memo to      \xe2\x80\xa2   No exceptions noted.\n                                                          determine whether naming conventions were\n                                                          established for DECC users.\n\n                                                      \xe2\x80\xa2   Inquired of Security Division Branch Chief\n                                                          and system administrators to determine         \xe2\x80\xa2   No exceptions noted.\n                                                          security procedures for logging on and using\n                                                          the network. Inspected GSS (mainframe)\n                                                          policies and procedures to determine whether\n                                                          security procedures were documented.\n\n\n                                                      \xe2\x80\xa2   Inquired of Security Division Branch Chief     \xe2\x80\xa2   451 ACF2 and 108 Top Secret DECC user\n                                                          and inspected procedures to determine              accounts across the six STANFINS-related\n                                                          whether inactive mainframe user accounts           ASIMS domains were inactive for over\n                                                          were monitored and removed when not                180 days or had never been used.\n                                                          needed. Inspected the Top Secret and ACF2\n                                                          STANFINS-related domain ACLs to\n                                                          determine whether inactive DECC user IDs\n                                                          were present in the domains.\n                                                                                                         \xe2\x80\xa2   No exceptions noted.\n                                                      \xe2\x80\xa2   Observed an individual user sign on to the\n                                                          mainframe to determine whether the opening\n                                                          screen provided a warning banner that stated\n                                                          that the system was for authorized use only\n                                                          and that activity was monitored.\n\n                                                      \xe2\x80\xa2   Observed a PC terminal to determine whether    \xe2\x80\xa2   No exceptions noted.\n                                                          automatic log-off occurred after a preset\n                                                          number of minutes of inactivity.\nDFAS\nSTANFINS application password and user ID rules are\n\n\n                                                                   54\n\x0cControl Description                                               Tests of Operating Effectiveness                   Results of Tests of Operating Effectiveness\nconfigured within the security system software maintained by      \xe2\x80\xa2   Inspected DFAS policies and procedures to      \xe2\x80\xa2   DFAS-Indianapolis, DFAS-Pacific, DFAS-\nDISA as described above.                                              determine whether guidance was established         Japan and DFAS-Rome maintained no\n                                                                      to outline ELAN administrator security             DFAS service-wide policy/guidance\nDFAS ELAN procedures include requirements that guide                  responsibilities.                                  document outlining local ELAN\nELAN administrators in the conduct of network security                                                                   administrator security responsibilities\nadministration.                                                                                                          versus those of centralized groups\n                                                                                                                         responsible for the administration/\n                                                                                                                         monitoring of DFAS-wide network\n                                                                                                                         security.\nDuring log-in to the ELAN, there is a banner warning users that\nthey are about to log on to a government workstation and that     \xe2\x80\xa2   Observed an individual user sign on to the     \xe2\x80\xa2   No exceptions noted.\ntheir use will be monitored. This banner automatically appears        network to determine whether the opening\nevery time a user accesses any DFAS workstation connected to          screen provided a warning banner that stated\nELAN.                                                                 that the system was for authorized use only\n                                                                      and that activity was monitored.\n\n\n\n\n                                                                               55\n\x0cControl Description                                                   Tests of Operating Effectiveness                     Results of Tests of Operating Effectiveness\nControl Activity:\nAC-4.1 Audit trails are maintained.\nDISA\nMainframe audit log policies are outlined in the OS/390 STIG,         \xe2\x80\xa2   Inquired of security administrators, inspected   \xe2\x80\xa2   No audit log was created for the use of\nVolume 1. The OS/390 STIG requires review of the following                policy statements related to audit logging,          sensitive system utilities on the ACF2\naudit entries on a daily basis: dataset access violations, resource       and compared results to audit settings of            domains; thus, DISA DECC-St. Louis\nviolations, and program use violations. The OS/390 STIG                   security software.                                   could not review program use violations.\nrequires review of the following audit entries on a\nweekly/monthly basis: failed log-on attempts and security                                                                  \xe2\x80\xa2   Top Secret was not consistently configured\nprivileges (i.e., changes to special privileges or attributes).                                                                to generate audit logs for all sensitive\nSecurity reports for the six STANFINS-related ASIMS                                                                            utilities; thus, DISA DECC-St. Louis could\ndomains (five ACF2 and one Top Secret domain) are available                                                                    not review program use violations.\nfor DISA DECC-Mechanicsburg and DISA DECC-St. Louis to\nmonitor.                                                              \xe2\x80\xa2   Inquired to determine whether all changes to     \xe2\x80\xa2   Log data of changes to ACF2 and Top\n                                                                          security profiles by security managers were          Secret security profiles were not\n                                                                          automatically logged and periodically                consistently maintained and archived on\n                                                                          reviewed by management independent of the            the mainframe across the six ASIMS (one\n                                                                          security function. Inquired of security              Top Secret, five ACF2) domains. As a\n                                                                          administrators and inspected logs to                 result:\n                                                                          determine whether unusual activity was               \xe2\x80\xa2 No ACF2 log review evidence existed,\n                                                                          investigated.                                            to include changes to ACF2 security\n                                                                                                                                   profiles, or violation logs prior to\n                                                                                                                                   January 3, 2005.\n                                                                                                                               \xe2\x80\xa2 No Top Secret log review evidence\n                                                                                                                                   existed, to include changes to security\n                                                                                                                                   profiles, or violation logs.\n                                                                                                                               \xe2\x80\xa2 Sufficient contact information did not\n                                                                                                                                   exist to adequately follow-up on issues\n                                                                                                                                   identified during review of the logs.\n                                                                                                                                   The contacts listed on the logs were\n                                                                                                                                   not the appropriate contacts.\n\n                                                                                                                           \xe2\x80\xa2   DISA DECC-St. Louis and DISA DECC-\n                                                                                                                               Mechanicsburg did not maintain or review\n                                                                                                                               logs that detailed activities of remote user\n                                                                                                                               sessions.\n\n\n\n\n                                                                                   56\n\x0cControl Description                                           Tests of Operating Effectiveness                Results of Tests of Operating Effectiveness\n\n                                                                                                              \xe2\x80\xa2   DISA DECC-St. Louis and DISA DECC-\n                                                                                                                  Mechanicsburg did not maintain evidence\n                                                                                                                  of review of ACF2 or Top Secret global\n                                                                                                                  system options.\n\n                                                              \xe2\x80\xa2   Inquired of systems administrators and      \xe2\x80\xa2   DISA DECC-St. Louis and DISA DECC-\n                                                                  inspected the organizational charts to          Mechanicsburg did not segregate\n                                                                  determine whether monitoring personnel          monitoring responsibilities for ACF2 and\n                                                                  were independent.                               Top Secret audit and violation logs from\n                                                                                                                  security administration functions.\nControl Activity:\nAC-4.2 Actual or attempted unauthorized, unusual, or sensitive access is monitored.\nDISA\nDFAS is responsible for monitoring STANFINS application-      \xe2\x80\xa2 Inquired of security administrators and       \xe2\x80\xa2   No audit log was created for the use of\nspecific audit logs. DISA DECC-Mechanicsburg reviews audit       inspected logs to determine whether audit        sensitive system utilities on the ACF2\nlogs for the five STANFINS-related ACF2 ASIMS domains as         trails were regularly reviewed and whether       domains; thus, DISA DECC-St. Louis\nrequired by the OS/390 STIG (except the program use violation    security violations were investigated and        could not review program use violations.\nlogs). DISA DECC-St. Louis reviews audit logs for the one        communicated to management.\nSTANFINS-related Top Secret ASIMS domain.                                                                     \xe2\x80\xa2   Top Secret was not consistently configured\n                                                                                                                  to generate audit logs for all sensitive\n                                                                                                                  utilities; thus, DISA DECC-St. Louis could\n                                                                                                                  not review program use violations.\n\n                                                                                                              \xe2\x80\xa2   Log data of changes to ACF2 and Top\n                                                                                                                  Secret security profiles were not\n                                                                                                                  consistently maintained and archived on\n                                                                                                                  the mainframe across the six ASIMS (one\n                                                                                                                  Top Secret, five ACF2) domains. As a\n                                                                                                                  result:\n                                                                                                                  \xe2\x80\xa2 No ACF2 log review evidence existed,\n                                                                                                                      to include changes to ACF2 security\n                                                                                                                      profiles, or violation logs prior to\n                                                                                                                      January 3, 2005.\n                                                                                                                  \xe2\x80\xa2 No Top Secret log review evidence\n                                                                                                                      existed, to include changes to security\n                                                                                                                      profiles, or violation logs.\n                                                                                                                  \xe2\x80\xa2 Sufficient contact information did not\n\n\n\n                                                                           57\n\x0cControl Description                                             Tests of Operating Effectiveness                     Results of Tests of Operating Effectiveness\n                                                                                                                             exist to adequately follow-up on issues\n                                                                                                                             identified during review of the logs.\n                                                                                                                             The contacts listed on the logs were\n                                                                                                                             not the appropriate contacts.\n\n                                                                                                                     \xe2\x80\xa2   DISA DECC-St. Louis and DISA DECC-\n                                                                                                                         Mechanicsburg did not maintain or review\n                                                                                                                         logs that detailed activities of remote user\n                                                                                                                         sessions.\n\n                                                                                                                     \xe2\x80\xa2   DISA DECC-St. Louis and DISA DECC-\n                                                                                                                         Mechanicsburg did not maintain evidence\n                                                                                                                         of review of ACF2 or Top Secret global\n                                                                                                                         system options.\nDFAS\nIf a user accumulates three unsuccessful log-ons to ELAN, the   \xe2\x80\xa2   Inquired of the ELAN Security Administrator      \xe2\x80\xa2   DFAS-Denver, DFAS-Pacific, DFAS-\nuser\xe2\x80\x99s account is suspended, which requires reset by ELAN           regarding the configuration setting related to       Indianapolis, DFAS-Japan, DFAS-Lawton,\nAdministrator.                                                      account lockout based on the accumulation of         DFAS-Rome, DFAS-San Antonio and\n                                                                    a predefined number of unsuccessful log-ons.         DFAS-Seaside did not maintain audit logs\n                                                                                                                         for the ELAN access attempts. DFAS-\n                                                                \xe2\x80\xa2   Inquired of DFAS field site ISSO/TASOs               Denver, DFAS-Lawton, DFAS-San\n                                                                    and inspected procedures for the tracking of         Antonio and DFAS-Rome did not maintain\n                                                                    unsuccessful user access log-on attempts to          documented procedures for tracking\n                                                                    the ELAN.                                            unsuccessful user access log-on attempts to\n                                                                                                                         the local LAN.\n\nControl Activity:\nAC-4.3 Suspicious access activity is investigated and appropriate action taken.\nDISA\nDISA DECC-Mechanicsburg implemented an audit log review \xe2\x80\xa2 Inquired of management and inspected                       \xe2\x80\xa2   Log data of changes to ACF2 and Top\nspreadsheet as of January 3, 2005, which is used to identify       documentation to determine whether security           Secret security profiles were not\nactivities that warrant follow-up. Audit log review                violations were summarized and reported to            consistently maintained and archived on\nspreadsheets for each domain are made available to senior          senior management.                                    the mainframe across the six ASIMS (one\nmanagement via shared network folders. The Security                                                                      Top Secret, five ACF2) domains. As a\nDivision Branch Chief will periodically monitor these files to                                                           result:\nhelp ensure the logs are monitored and to review trends.\n                                                                                                                         \xe2\x80\xa2   No ACF2 log review evidence existed,\nDISA DECC-Mechanicsburg relies on the automated security                                                                     to include changes to ACF2 security\n\n\n                                                                             58\n\x0cControl Description                                                 Tests of Operating Effectiveness   Results of Tests of Operating Effectiveness\nreporting features of ACF2. ACF2 generates reports from raw                                                    profiles, or violation logs prior to\nSystem Management Facility (SMF) records based on type of                                                      January 3, 2005.\nactivity (e.g., log-on ID modification, dataset access violation,                                          \xe2\x80\xa2   No Top Secret log review evidence\netc.). Similarly, DISA DECC-St. Louis relies on the automated                                                  existed, to include changes to security\nsecurity reporting features of Top Secret.                                                                     profiles, or violation logs.\n                                                                                                           \xe2\x80\xa2   Sufficient contact information did not\nThe OS/390 STIG requires the DECC to review the ACF2 and                                                       exist to adequately follow-up on issues\nTop Secret global control options at least quarterly to                                                        identified during review of the logs.\ndetermine whether any changes were authorized and necessary.                                                   The contacts listed on the logs were\n                                                                                                               not the appropriate contacts.\n\n\n\n\n                                                                                 59\n\x0cAccess Control (AC) \xe2\x80\x93 Physical Security\n\nControls provide reasonable assurance that physical access controls are established to prevent or detect unauthorized access.\n\n Control Description                                             Tests of Operating Effectiveness                  Results of Tests of Operating Effectiveness\n Control Activity:\n AC-3.1 Adequate physical security controls have been implemented \xe2\x80\x93 A. Physical safeguards have been established that are commensurate with the risks of\n physical damage or access.\n DISA\n The DISA DECC facility maintains physical access controls       \xe2\x80\xa2 Toured the DISA DECC-St. Louis to               \xe2\x80\xa2 No exceptions noted.\n around the compound housing the DECC facility. Exterior             determine whether the following physical\n doors to the building are secured via an electronic badge           access controls were in place:\n reader or keyed locks. Additionally, exterior doors are             \xe2\x80\xa2 Electronic badge readers/keyed locks\n alarmed. Guards located at the entrance of the compound and              secured exterior doors;\n Federal Protective Services (FPS) monitor the exterior door\n                                                                     \xe2\x80\xa2 Exterior doors were alarmed;\n alarms.\n                                                                     \xe2\x80\xa2 Guards were located at the entrance of\n Access to the sensitive computer room areas of the DECC is               the compound;\n controlled via an electronic badge reader and as well as a          \xe2\x80\xa2    Electronic badge readers/scramble pads\n scramble pad. Individuals entering the sensitive areas must              secured sensitive computer room doors\n present an authorized badge at the badge reader and enter a              and the tape library;\n PIN into the scramble pad to gain access. The code to the           \xe2\x80\xa2 Computer room and tape library were\n combination lock is restricted to a limited number of                    physically separate from administrative\n individuals in the Telecommunications Branch and Security                areas;\n Division.                                                           \xe2\x80\xa2 Closed-circuit video cameras recorded\n                                                                          footage to VHS tapes to monitor exterior\n Physical access controls at the DECC are designed to always              fence lines, as well as entrances to all\n allow an individual to exit any area of the facility. While an           sensitive computer room areas; and\n individual can exit a sensitive area without presenting a badge     \xe2\x80\xa2 Personnel positioned computers to\n to the badge reader, any individual that does not present a              eliminate potential viewing by\n valid badge (i.e., a badge with authorized access to the                 unauthorized persons.\n sensitive areas) before exiting through a door will trigger an  \xe2\x80\xa2 Inspected a list of individuals with access to  \xe2\x80\xa2 At DECC St. Louis, seven individuals on\n alarm through the intrusion detection system and access             the computer room to determine whether           the computer room access list could not be\n control system. The Central Station Monitors alert these            physical access was commensurate with job        identified by the DECC Security Branch\n alarms to the Chief of Security, Federal Protective Services,       responsibilities and no terminated employees     Chief as requiring access to sensitive\n and facility guards.                                                retained access to the computer room.            computer room areas. Those individuals\n                                                                                                                      were immediately removed from the access\n Closed-circuit video cameras monitor exterior fence lines of                                                         list in October 2004.\n the compound housing the DECC. General Services\n\n\n                                                                            60\n\x0cControl Description                                               Tests of Operating Effectiveness                    Results of Tests of Operating Effectiveness\nAdministration-contracted guards, as well as the FPS, monitor\nthese cameras. Within the DECC, closed-circuit video\ncameras monitor the entrances of all sensitive computer room\nareas. These cameras are not actively monitored; rather, the\ncameras record to VHS tapes, which can be used in the event\nof a security related incident.                                   \xe2\x80\xa2   Attempted to access the computer room           \xe2\x80\xa2   No exceptions noted.\n                                                                      without a badge or escort to determine\nAn authorized identification badge and PIN code is required           whether the electronic badge system controls\nto enter the computer room and tape/media library at all times.       the door locking mechanism and restricts\nThe computer room and tape/media library are separated from           access to unauthorized individuals.\nthe administrative areas, and individuals must be granted\naccess specifically to these areas in order to gain access.       \xe2\x80\xa2   For a random sample of individuals with         \xe2\x80\xa2   27 of 41 users sampled did not have a\n                                                                      access to the computer room, inspected              corresponding access form that was signed\nGSA is responsible for the issuance of physical keys to the           corresponding user access forms to determine        by an authorizing official.\nDECC Security Division, and the DECC Security Division is             whether access was signed (i.e., approved) by\nresponsible for key control within the DECC facility.                 an authorizing official.\nPersonnel position computer monitors to eliminate potential\n                                                                  \xe2\x80\xa2   Inquired of the Security Branch Chief and       \xe2\x80\xa2   No exceptions noted.\nviewing by unauthorized persons.\n                                                                      inspected the Information System Security\n                                                                      SOP for Laptop Computer Systems to\nThe Information System Security Standard Operating\n                                                                      determine whether policy established rules of\nProcedures (SOP) for Laptop Computer Systems establishes\n                                                                      behavior for all laptop system users and\nrules of behavior for all laptop system users and outlines\n                                                                      outlined security responsibilities for laptop\nsecurity responsibilities for laptop users. Laptops can be\n                                                                      users.\ntaken home by employees or are kept in each employee\xe2\x80\x99s\nwork area/office within the controlled access DECC facility.\nControl Activity:\nAC-3.1 Adequate physical security controls have been implemented \xe2\x80\x93 B. Visitors are controlled.\nDISA\nDECC facility physical access points are controlled by card       \xe2\x80\xa2 Inspected the DISA DECC-St. Louis Facility        \xe2\x80\xa2   No exceptions noted.\naccess and intrusion detection systems at all times. Visitors to    and Building Access Procedures to determine\nthe compound must be on an approved visitors listing, which         whether visitor processing procedures were\nidentifies the arrival and expected departure dates for visitors.   documented.\nThe guards verify that everyone entering the compound has an\nauthorized form of DoD identification (i.e., CAC card, DISA       \xe2\x80\xa2 Inquired of DECC Security Branch Chief and        \xe2\x80\xa2   No exceptions noted.\nDECC badge, etc.). Visitors to the compound must provide a          guards and observed visitor processing\nvalid government-issued identification to be on an approved         procedures. Walked through the visitor\nvisitors listing. The Homeland Security Threat Advisory             processing procedure during entrance into\nLevels determine how securely a visitor is escorted. Visitor        and exit out of the compound.\n\n\n                                                                               61\n\x0cControl Description                                               Tests of Operating Effectiveness                      Results of Tests of Operating Effectiveness\nvehicles are inspected for hazardous materials and visitor\nentry logs are present for all sensitive computer room areas at   \xe2\x80\xa2   Observed the entry logs for the DISA DECC-        \xe2\x80\xa2   No exceptions noted.\nthe DECC.                                                             St. Louis facility to determine whether visitor\n                                                                      access was recorded.\n\n\n\n\n                                                                                62\n\x0cAccess Control (AC) and System Software (SS) \xe2\x80\x93 Computer Operations\n\nControls provide reasonable assurance that computer processing occurs in accordance with the documented processing schedule, and schedule\ndeviations are identified and appropriately addressed in a timely manner.\n\nControl Description                                            Tests of Operating Effectiveness                   Results of Tests of Operating Effectiveness\nControl Activity:\nThe production scheduling function is adequately separated from other data center functions, such as system software maintenance, logical security, and\ndatabase administration.\nDISA DECC-St. Louis is responsible for the configuration and\naccess administration of Control-M production scheduling       \xe2\x80\xa2 Inquired of CDOIM/DOIM IT Supervisors            \xe2\x80\xa2 No exceptions noted.\nsoftware, as well as other data center functions. The DFAS         and IT Specialists and inspected the CDOIM\nCDOIM is primarily responsible for the overall management          Operations Management Plan and\nand continuance of the STANFINS batch production cycles,           organizational charts/position descriptions to\nincluding maintenance of the production job schedule, Job          determine whether the Production Scheduling\nControl Language maintenance, operations monitoring, and the       group was appropriately segregated from\nresolution of unintended deviations from the STANFINS              other operations groups.\nproduction job schedule and ABENDS. Additionally, the\ndecentralized DOIM organizations are primarily responsible for\nthe management and continuance of the STANFINS batch\nproduction cycles related to the sites that they support. The\nDOIM and CDOIM organizations fall under the TSO within\nDFAS, a separate DoD component from DISA.\nControl Activity:\nProduction scheduling software (Control-M) has been configured securely and provides adequate logical access controls.\nDISA\nDISA DECC-St. Louis is responsible for the configuration and   \xe2\x80\xa2 Inspected access listings and security settings \xe2\x80\xa2 DISA DECC-St. Louis user access to the\naccess administration of Control-M production scheduling           to the Control-M scheduling utility to            Job Status Screen and History Jobs files\nsoftware. Control-M has been configured to provide security        determine whether utility was configured          was excessive based on segregation of\nover the ability to issue operator commands and modify jobs in     securely.                                         duties principles.\nthe queue and individual jobs and schedules.\n\n\n\n\n                                                                            63\n\x0cControl Description                                               Tests of Operating Effectiveness            Results of Tests of Operating Effectiveness\nControl Activity:\nControl-M operating procedures and processing schedules are documented and available to operators.\nDFAS\nAll Control-M procedure documentation is available to any         \xe2\x80\xa2 Inquired of the IT Supervisor and IT      \xe2\x80\xa2   At the DOIM site located in Denver:\nmember of the CDOIM/DOIMS. The Job Analyzer Utility                   Specialists and inspected manuals to        \xe2\x80\xa2 Denver DOIM Management did not\nManual covers topics including logic, preparations, installation,     determine whether processes were                develop and implement Control-M\nJob Control Language (JCL) parameters, and analyzing a single         documented and available.                       standards and procedures to aid\njob. The User Manual covers topics including rule definition                                                          personnel in the use of this application.\nfacility, implementation considerations, job production\n                                                                                                                  \xe2\x80\xa2 The process for documenting the job\nparameters, Control-M Event Manager, and the reporting\n                                                                                                                      schedule changes and any issues\nfacility.\n                                                                                                                      during processing was informal. As a\n                                                                                                                      result, no documentation existed for\n                                                                                                                      these processes.\n                                                                                                                  \xe2\x80\xa2 Management did not document a\n                                                                                                                      description of STANFINS production\n                                                                                                                      jobs; description of ABEND codes;\n                                                                                                                      and escalation, recovery, and restart\n                                                                                                                      procedures.\nControl Activity:\nProcedures for requesting, approving, and implementing changes to the production schedule are documented and in place.\nDFAS\nThe procedures for scheduling are documented in the CDOIM      \xe2\x80\xa2 Inspected CDOIM Operations Management          \xe2\x80\xa2 No exceptions noted.\nOperations Management Plan and DOIM SOPs. Each month,            Plan to determine whether management\nthe field sites e-mail the CDOIM/DOIM a monthly calendar         documented scheduling procedures.\nwith all scheduled releases. The CDOIM/DOIM IT Specialist\nlogs into Control-M using a unique user ID and password and    \xe2\x80\xa2 Inquired of IT Supervisor and IT Specialist to \xe2\x80\xa2 At all three CDOIM/DOIM sites visited,\naccesses the calendar function within Control-M. The IT          determine how they received, documented,         documentation of schedule requests was\nSpecialist then manually enters each of the scheduled releases   approved, and tracked schedule change            not maintained.\non the appropriate day(s) of the month, which is determined by   requests through completion/resolution.\nthe calendar. Control-M then reads and releases each schedule\naccordingly.\n\n\n\n\n                                                                              64\n\x0cControl Description                                                 Tests of Operating Effectiveness                    Results of Tests of Operating Effectiveness\nControl Activity:\nAudit trails of production job processing are generated and maintained.\nControl-M records the date and time, user ID and disposition\ncode, and job execution message regarding the completion of         \xe2\x80\xa2 Inquired of IT Supervisor and Specialist and      \xe2\x80\xa2 At the DOIM located in Denver, personnel\nproduction jobs to audit trails.                                        inspected the settings page to determine the       were unaware of automated logging\n                                                                        settings applied for recording audit records in    features in Control-M, stating there was no\nColor-coding facilitates the identification of production jobs          SysLog.                                            automated audit logging process for\nthat finished in a state of error. Audit trails are generated real-                                                        STANFINS job scheduling and processing.\ntime during the execution of the production schedule and are\navailable for review after-the-fact.                                                                                    \xe2\x80\xa2 At the DOIM located in Denver, personnel\n                                                                    \xe2\x80\xa2 Inspected a screen print of the Control-M            were unaware of automated logging\nControl-M produces a log that identifies that an individual has         History log to determine whether                   features in Control-M, stating there was no\nmade a schedule change and the user ID of the person who                management documented audit trails of              automated audit logging process for\nmade the change. Control-M has the ability to filter data to            production schedule/job completion.                STANFINS job scheduling and processing.\nidentify deleted schedules and the user who performed the\ndeletion.\nControl Activity:\nRealized production issues that cause deviations from the predefined production-processing schedule are identified, documented, and tracked to their\nresolution. Procedures outline steps for recovery from production issues, and escalation listings/contact information is documented and available to\npersonnel.\nDISA\nDISA DECC-St. Louis and DISA DECC-Mechanicsburg share \xe2\x80\xa2 Inquired with Technical Support Branch                          \xe2\x80\xa2 No exceptions noted.\nresponsibility for monitoring production processing with                (TSB) personnel to determine whether a\nDFAS. When an operator at DECC identifies an abnormal job               process for identifying, documenting, and\ntermination ABEND, he/she creates a REMEDY system ticket                tracking production schedule deviations was\nto track the issue and contacts an appropriate DFAS POC for             developed.\nresolution. Contact lists/escalation procedures document POCs\nto be called in the event of unresolved ABEND. DISA DECC            \xe2\x80\xa2 Inspected the listing of appropriate DFAS         \xe2\x80\xa2 No exceptions noted.\nmaintains historical REMEDY tickets as a resource for                   points of contact to determine if contact\nidentifying and resolving production-processing problems.               information was documented.\nOnce the operator alerts DFAS of the issue, DFAS is\nresponsible for identifying a method of resolution and ensuring\n                                                                    \xe2\x80\xa2 For production issues since July 2004,\nthe problem is resolved.\n                                                                        inspected the corresponding REMEDY              \xe2\x80\xa2 No exceptions noted.\n                                                                        tickets to determine if they were tracked to\n                                                                        completion.\n\nDFAS\nDISA DECC-St. Louis and DISA DECC-Mechanicsburg share             \xe2\x80\xa2   Inquired with Computer/Electronic Data          \xe2\x80\xa2   At the DOIM site located in Denver:\n\n\n\n                                                                                65\n\x0cControl Description                                              Tests of Operating Effectiveness                   Results of Tests of Operating Effectiveness\nresponsibility for monitoring production processing with             Processing (EDP) Specialist to determine          \xe2\x80\xa2 Denver DOIM Management did not\nDFAS.                                                                whether a process for identifying,                     develop and implement Control-M\n                                                                     documenting, and tracking production                   standards and procedures to aid\nOnce DFAS is alerted of the issue, DFAS is responsible for           schedule deviations was developed.                     personnel in the use of this application.\nidentifying a method of resolution and ensuring the problem is       Inspected procedures to determine whether         \xe2\x80\xa2 The process for documenting the job\nresolved.                                                            the process was documented and whether a               schedule changes and any issues\n                                                                     point of contact list was available for                during processing was informal. As a\nSome DOIM sites have standard operating procedures to                reference when problem escalation was                  result, no documentation existed for\naddress production job ABENDS and escalation procedures.             necessary.                                             these processes.\nProcessing is monitored real-time and any issues are\n                                                                                                                       \xe2\x80\xa2 Management did not document a\nimmediately identified and addressed. When a job encounters\n                                                                                                                            description of STANFINS production\nan ABEND, the screen turns red and processing stops until an\n                                                                                                                            jobs, description of ABEND codes,\noperator corrects the error and restarts the job.\n                                                                                                                            and escalation, recovery and restart\n                                                                                                                            procedures.\nEscalation procedures provide detailed instruction on handling\nABENDS and identify points of contact.                           \xe2\x80\xa2   Inspected procedures used for production\n                                                                                                                    \xe2\x80\xa2   At the DOIM site located in Denver:\n                                                                     processing and documentation used to track\nIn some cases, Internal Trouble Reports are created when             deviations from the predefined production-         \xe2\x80\xa2 Denver DOIM Management did not\nSTANFINS processes ABENDS. When an Internal Trouble                  processing schedule.                                   develop and implement Control-M\nReport is created, an approval must accompany the change                                                                    standards and procedures to aid\nmade to fix the processing issue.                                                                                           personnel in the use of this application.\n                                                                                                                        \xe2\x80\xa2 The process for documenting the job\n                                                                                                                            schedule changes and any issues\n                                                                                                                            during processing was informal. As a\n                                                                                                                            result, no documentation existed for\n                                                                                                                            these processes.\n                                                                                                                        \xe2\x80\xa2 Management did not document a\n                                                                                                                            description of STANFINS production\n                                                                                                                            jobs, description of ABEND codes,\n                                                                                                                            and escalation, recovery and restart\n                                                                                                                            procedures.\n\n                                                                 \xe2\x80\xa2   For production issues since July 2004,         \xe2\x80\xa2   No exceptions noted.\n                                                                     inspected the corresponding REMEDY\n                                                                     tickets to determine if they were tracked to\n                                                                     completion.\n\n\n\n\n                                                                              66\n\x0cChange Control (CC)\n\nControls provide reasonable assurance that program (coding) changes to the STANFINS application are authorized, documented, tested, approved,\nand properly implemented.\n\nControl Description                                        Tests of Operating Effectiveness                    Results of Tests of Operating Effectiveness\nControl Activity:\nCC-1.1 A system development life cycle methodology (SDLC) has been implemented.\nDFAS\nThe Software Configuration Management Plan (SCMP) dated    \xe2\x80\xa2 Inspected the Software Configuration Plan,        \xe2\x80\xa2   No exceptions noted.\nMarch 6, 2003 outlines responsibilities, requirements, and     the TSO-Indianapolis DS Procedure, the\nprocedures related to application development and              DFAS STANFINS SQAP, and the OSSP to\nconfiguration control. The TSO-Indianapolis Design             determine whether a system development life\nSpecification (DS) Procedure document details procedures,      cycle was developed and documented.\nstandards, and requirements regarding STANFINS program\ndesign. The DFAS STANFINS Software Quality Assurance       \xe2\x80\xa2 Inquired of change management staff to            \xe2\x80\xa2   No exceptions noted.\nPlan (SQAP) dated August 2002, details the STANFINS            determine whether staff involved with\ntesting requirements, roles, and requirements. The             developing and testing software were familiar\nOrganization Standard Software Process (OSSP) details the      with the use of the SDLC methodology.\nSoftware Life Cycle and the overview of OSSP Phases and\nTasks.\n                                                             \xe2\x80\xa2   Inspected the SSAA to determine whether it    \xe2\x80\xa2   No exception noted.\nThe SSAA includes listings of the hosting GSS, hosted\n                                                                 provided a structured approach consistent\nAutomated Information System (AIS) applications,\n                                                                 with generally accepted concepts and\ninterconnected outsourced IT-based processes, and\n                                                                 practices.\ninterconnected IT platforms.\n\n\n\n\n                                                                          67\n\x0cControl Description                                           Tests of Operating Effectiveness                Results of Tests of Operating Effectiveness\nControl Activity:\nCC-1.2 Authorizations for software modifications are documented and maintained.\nDFAS\nSTANFINS software changes, with the potential exception of    \xe2\x80\xa2 Inspected supporting authorization and        \xe2\x80\xa2   Documentation of testing and\nchanges required to accommodate interfacing systems, must be      testing documentation for STANFINS              authorizations related to the development\naccompanied by a completed System Change Request (SCR)            changes applied during the examination          and implementation of STANFINS\nform. The SCR must be filled out and approved by the System       period to determine whether documentation       application changes was inconsistently\nOwner before the change is tested and migrated to production.     was prepared in accordance with DoD             generated and maintained. These\n                                                                  Instruction 8500.2.                             inconsistencies included:\nPrior to testing, each SCR requires a documented Test                                                             \xe2\x80\xa2 SCRs were generally not created if the\nCondition Requirements (TCR) form to be filled out including                                                          Change Control Board knew that the\na sign-off documenting the STANFINS PMO Functional                                                                    request would not be authorized.\ngroup\xe2\x80\x99s approval. Testing is performed using production data\n                                                                                                                  \xe2\x80\xa2 All Change Control Board meetings\nin a test environment\n                                                                                                                      were informal, held as needed, and\n                                                                                                                      most communication regarding\nOnce the TCR is authorized, the PMO Functional group sends\n                                                                                                                      proposed changes was discussed\nan e-mail to TSO regarding the change release. A checklist is\n                                                                                                                      verbally (not documented).\nused to determine that all appropriate steps have been taken\nprior to ship. DECC is contacted to determine that they are                                                       \xe2\x80\xa2 Of 15 SCRs and TCRs generated\nready to receive, and have received, the release.                                                                     October 2, 2002 through October\n                                                                                                                      2004, only three had e-mail\n                                                                                                                      documentation to support the change.\n                                                                                                                  \xe2\x80\xa2 Of 12 FY 2004 SCRs, only three\n                                                                                                                      copies of e-mails notifying the DFAS\n                                                                                                                      field sites of changes were maintained.\nControl Activity:\nCC-2.1 Changes are controlled as programs progress through testing to final approval.\nDFAS\nSTANFINS currently operates in a \xe2\x80\x9cmaintenance mode,\xe2\x80\x9d which \xe2\x80\xa2 Inspected supporting authorization and           \xe2\x80\xa2   Documentation of testing and\nmeans that only emergency maintenance changes are applied.      testing documentation for STANFINS                authorizations related to the development\nEmergency maintenance changes are those software changes        changes applied during the examination            and implementation of STANFINS\nrequired to maintain compliance with applicable Federal         period to determine whether documentation         application changes were inconsistently\nstatutes and regulations.                                       was prepared in accordance with DoD               generated and maintained. These\n                                                                Instruction 8500.2.                               inconsistencies included:\nSTANFINS software changes, with the potential exception of                                                        \xe2\x80\xa2 SCRs were generally not created if the\nchanges required to accommodate interfacing systems, must be                                                          Change Control Board knew that the\naccompanied by a completed SCR form. The SCR must be                                                                  request would not be authorized.\nfilled out and approved by the System Owner before the change\n                                                                                                                  \xe2\x80\xa2 All Change Control Board meetings\nis tested and migrated to production.\n                                                                                                                      were informal, held as needed, and\n\n\n                                                                           68\n\x0cControl Description                                              Tests of Operating Effectiveness                     Results of Tests of Operating Effectiveness\n                                                                                                                              most communication regarding\nPrior to testing, each SCR requires a documented TCR form to                                                                  proposed changes was discussed\nbe filled out, including a sign-off documenting the STANFINS                                                                  verbally (not documented).\nPMO Functional group\xe2\x80\x99s approval. Testing is performed using                                                              \xe2\x80\xa2 Of 15 SCRs and TCRs generated\nproduction data in a test environment                                                                                         October 2, 2002 through October\n                                                                                                                              2004, only three had e-mail\nOnce the TCR is authorized, the PMO Functional group sends                                                                    documentation to support the change.\nan e-mail to TSO regarding the change release. A checklist is                                                            \xe2\x80\xa2 Of 12 FY 2004 SCRs, only three\nused to determine that all appropriate steps have been taken                                                                  copies of e-mails notifying the DFAS\nprior to packaging the software change for DECC                                                                               field sites of changes were maintained.\nimplementation. DECC is contacted to determine that they are\nready to receive, and have received, the release.\n                                                                                                                      \xe2\x80\xa2   STANFINS application changes were\n                                                                 \xe2\x80\xa2   Performed inquiry of the PMO Accountant              manually controlled, migrated, and\n                                                                     and Lead Specialist to verify the process used       released from the testing environment;\n                                                                     to document and authorize changes.                   however, the documentation was not\n                                                                                                                          appropriately maintained as seen in the\n                                                                                                                          exception above. Specifically, there was\n                                                                                                                          no automated version controls (i.e., a\n                                                                                                                          program change version control system) to\n                                                                                                                          track changes to STANFINS.\nDISA\nThe TSB staff in DISA DECC-St. Louis receives final              \xe2\x80\xa2   Inspected the notification e-mails for a         \xe2\x80\xa2   No exceptions noted.\ninstruction to implement the changes via e-mail from the staff       selection of STANFINS changes (all\nin Indianapolis.                                                     STANFINS changes applied during the\n                                                                     examination period were selected) to\n                                                                     determine whether such communications\n                                                                     between DFAS and the DISA DECC-St.\n                                                                     Louis were documented.\n\n\n\n\n                                                                              69\n\x0cControl Description                                          Tests of Operating Effectiveness                        Results of Tests of Operating Effectiveness\nControl Activity:\nCC-2.2 Emergency changes are promptly tested and approved.\nDFAS\nAll changes are considered to be emergency changes and       \xe2\x80\xa2 Inspected supporting authorization and                \xe2\x80\xa2   Documentation of testing and\nundergo the process documented in Control Activity CC-2.1        testing documentation STANFINS changes                  authorizations related to the development\nChanges are controlled as programs progress through testing      applied during the examination period to                and implementation of STANFINS\nto final approval. STANFINS currently operates in a              determine whether documentation was                     application changes were inconsistently\n\xe2\x80\x9cmaintenance mode,\xe2\x80\x9d which means that only emergency              prepared in accordance with DoD Instruction             generated and maintained. These\nmaintenance changes are applied. Emergency maintenance           8500.2.                                                 inconsistencies included:\nchanges are those software changes required to maintain                                                                  \xe2\x80\xa2 SCRs were generally not created if the\ncompliance with applicable Federal statutes and regulations.                                                                 Change Control Board knew that the\n                                                                                                                             request would not be authorized.\nSTANFINS software changes, with the potential exception of\n                                                                                                                         \xe2\x80\xa2 All Change Control Board meetings\nchanges required to accommodate interfacing systems, must be\n                                                                                                                             were informal, held as needed, and\naccompanied by a completed SCR form. The SCR must be\n                                                                                                                             most communication regarding\nfilled out and approved by the System Owner before the change\n                                                                                                                             proposed changes was discussed\nis tested and migrated to production.\n                                                                                                                             verbally (not documented).\nPrior to testing, each SCR requires a documented TCR form to                                                             \xe2\x80\xa2 Of 15 SCRs and TCRs generated\nbe filled out, including a sign-off documenting the STANFINS                                                                 October 2, 2002 through October 2004\nPMO Functional group\xe2\x80\x99s approval. Testing is performed using                                                                  (3 in FY 2003 and 12 in FY 2004),\nproduction data in a test environment                                                                                        only three had e-mail documentation to\n                                                                                                                             support the change.\nOnce the TCR is authorized, the PMO Functional group sends                                                               \xe2\x80\xa2 Of the 12 FY 2004 SCRs, only three\nan e-mail to TSO regarding the change release. A checklist is                                                                copies of e-mails notifying the DFAS\nused to determine that all appropriate steps have been taken                                                                 field sites of changes were maintained.\nprior to packaging the software change for DECC\nimplementation. DECC is contacted to determine that they are    \xe2\x80\xa2   Performed inquiry of the PMO Accountant          \xe2\x80\xa2   STANFINS application changes were\nready to receive, and have received, the release.                   and Lead Specialist to verify the process used       manually controlled, migrated, and\n                                                                    to document and authorize changes.                   released from the testing environment;\n                                                                                                                         however, the documentation was not\n                                                                                                                         appropriately maintained as seen in the\n                                                                                                                         exception above. Specifically, there was\n                                                                                                                         no automated version controls (i.e., a\n                                                                                                                         program change version control system) to\n                                                                                                                         track changes to STANFINS.\n\n\n\n\n                                                                             70\n\x0cControl Description                                                 Tests of Operating Effectiveness                     Results of Tests of Operating Effectiveness\n\nControl Activity:\nCC-2.3 Distribution and implementation of new or revised software is controlled.\nDFAS\nOnce the release has been shipped, DISA DECC-St. Louis is         \xe2\x80\xa2 Inspected procedures and inquired of an              \xe2\x80\xa2   No exceptions noted.\nresponsible for distribution and implementation.                    Accountant, IT Specialist, and Lead\n                                                                    Technician to obtain an understanding of\n                                                                    responsibilities for distribution and\n                                                                    implementation of STANFINS application\n                                                                    changes.\nDISA\nE-mail communication from DFAS developers denoting items          \xe2\x80\xa2 Inspected the notification e-mails for               \xe2\x80\xa2   No exceptions noted.\nsuch as the change type, implementation dates, and additional       STANFINS changes applied during the\ninstructions regarding changes are sent directly to the personnel   examination period to determine whether\nimplementing the changes in the TSB. The TSB is responsible         implementation dates for STANFINS were\nfor Capacity Management, Operating Systems, Database, and           communicated to personnel implementing the\nOperations Support at DISA DECC.                                    changes in the TSB.\n\nDISA DECC-St. Louis is responsible for copying all the release      \xe2\x80\xa2   Performed inquiry of the PMO Accountant\ndata to the production application library. They coordinate             and Lead Specialist to verify the process used   \xe2\x80\xa2   No exceptions noted.\nwith CDOIM/DOIM to implement the production release. The                to document and authorize changes.\nCDOIM/DOIM reconciles the production application library to\nvalidate that the DECC completely and accurately copied all\nthe data over to the production directory. The CDOIM/DOIM\nis responsible for coordinating with all of the appropriate field\nsites affected by the release.\n\nOnce a date has been agreed to between the field sites and the\nCDOIM/DOIM, the CDOIM/DOIM instructs the DECC to\nrelease the change on the specified time and date. The DECC\nreleases all changes as specified by the CDOIM/DOIM. Once\nchanges are released, a final notification is sent from the DECC\nto the CDOIM/DOIM confirming the release.\n\n\n\n\n                                                                                 71\n\x0cControl Description                                                Tests of Operating Effectiveness                    Results of Tests of Operating Effectiveness\nControl Activity:\nCC-3.1 Programs are labeled and inventoried.\nDFAS\nSTANFINS program changes are conducted manually and the            \xe2\x80\xa2   Inquired of the Lead Specialist regarding       \xe2\x80\xa2   STANFINS application changes were\nIT Specialist is responsible for creating/titling each version         procedures for labeling and inventorying            manually controlled, migrated, and\nchange and helping to ensure that each site is using the correct       STANFINS application programs.                      released from the testing environment;\nversion of STANFINS.                                                                                                       however, the documentation was not\n                                                                                                                           appropriately maintained. Specifically,\n                                                                                                                           there was no automated version controls\n                                                                                                                           (i.e., a program change version control\n                                                                                                                           system) to track changes to STANFINS.\n\n                                                                                                                       \xe2\x80\xa2   Inconsistencies in documentation included:\n                                                                                                                           \xe2\x80\xa2 SCRs were generally not created if the\n                                                                                                                               Change Control Board knew that the\n                                                                                                                               request would not be authorized.\n                                                                                                                           \xe2\x80\xa2 All Change Control Board meetings\n                                                                                                                               were informal, held as needed, and\n                                                                                                                               most communication regarding\n                                                                                                                               proposed changes was discussed\n                                                                                                                               verbally.\n                                                                                                                           \xe2\x80\xa2 Of 15 SCRs and TCRs generated\n                                                                                                                               October 2, 2002 through October 2004\n                                                                                                                               (3 in FY 2003 and 12 in FY 2004),\n                                                                                                                               only three had e-mail documentation to\n                                                                                                                               support the change.\n                                                                                                                           \xe2\x80\xa2   Of the 12 FY 2004 SCRs, only\n                                                                                                                               three copies of e-mails notifying\n                                                                                                                               the DFAS field sites of changes\n                                                                                                                               were maintained.\nControl Activity:\nCC-3.2 Access to program libraries is restricted.\nDISA\nDISA is responsible for administering access to STANFINS           \xe2\x80\xa2   Inspected policies and procedures on granting   \xe2\x80\xa2   No exceptions noted.\nproduction program libraries. DISA administers access based            and monitoring access to STANFINS IT\non approved access request forms received from appropriate             resources.\nDFAS points of contact. Additionally, DECC user access to\nSTANFINS production libraries is limited to operation support\n\n\n                                                                                72\n\x0cControl Description                                         Tests of Operating Effectiveness                     Results of Tests of Operating Effectiveness\nstaff responsible for responding to customer requests and\ntroubleshooting.                                            \xe2\x80\xa2   Inquired of DISA DECC-St. Louis Security         \xe2\x80\xa2   No exceptions noted.\n                                                                Division Branch Chief to determine the\n                                                                process for granting access to STANFINS.\n\n\n                                                            \xe2\x80\xa2   Inspected access control procedures to           \xe2\x80\xa2   No exceptions noted.\n                                                                determine whether the process for granting,\n                                                                monitoring, and removing access to\n                                                                STANFINS (including the GSS) followed\n                                                                DoD Instruction 8500.2 Information\n                                                                Assurance Implementation guidance, which\n                                                                requires procedures to address need to know\n                                                                access, security awareness training for users,\n                                                                and verification of a favorable background\n                                                                investigation/ active security clearance.\n\n                                                            \xe2\x80\xa2   Inspected access request forms for a random      \xe2\x80\xa2   At DISA DECC-St. Louis, we selected 42\n                                                                sample of users of STANFINS (at the                  users and requested their user access\n                                                                application and network level) to determine          request out of form packets. Out of the\n                                                                whether management authorized access.                sample of 42 packets:\n                                                                                                                     \xe2\x80\xa2 One user did not have a completed\n                                                                                                                         access request form;\n                                                                                                                     \xe2\x80\xa2 Three individuals had at least one\n                                                                                                                         access request form without a Security\n                                                                                                                         representative\xe2\x80\x99s signature certifying\n                                                                                                                         that the individual\xe2\x80\x99s background\n                                                                                                                         checks/security clearances were\n                                                                                                                         appropriate;\n                                                                                                                     \xe2\x80\xa2 Six individuals had at least one access\n                                                                                                                         request form where the user\n                                                                                                                         acknowledgement portion was not\n                                                                                                                         signed.\n\n                                                                                                                 \xe2\x80\xa2   Two separated employees retained access\n                                                            \xe2\x80\xa2   Obtained and inspected the ACL for\n                                                                                                                     to one or more of the domains where\n                                                                STANFINS to determine whether terminated\n                                                                                                                     STANFINS resides.\n                                                                employees had access.\n\n\n\n                                                                         73\n\x0cControl Description                                         Tests of Operating Effectiveness                  Results of Tests of Operating Effectiveness\nDFAS\nProgrammer access to production files is limited. DISA      \xe2\x80\xa2   Inspected DFAS policies and procedures to     \xe2\x80\xa2   Of the ten DFAS sites, DFAS-Indianapolis\nadministers access based on approved access request forms       determine whether guidance was established        (PMO and TSO), DFAS-Pacific, DFAS-\nreceived from appropriate DFAS points of contact.               to outline ELAN administrator security            Japan and DFAS-Rome stated that there\n                                                                responsibilities.                                 was no DFAS service-wide policy or\n                                                                                                                  guidance document outlining local ELAN\n                                                                                                                  administrator security responsibilities\n                                                                                                                  versus those of centralized groups\n                                                                                                                  responsible for the administration/\n                                                                                                                  monitoring of DFAS-wide network\n                                                                                                                  security.\n\n                                                            \xe2\x80\xa2   Inspected access control procedures to        \xe2\x80\xa2   During testing, DFAS field sites were\n                                                                determine whether the process for granting,       unable to generate STANFINS and TAPS\n                                                                monitoring, and removing access to                user access lists directly from the security\n                                                                STANFINS (including the GSS) followed             system. As a result, of the ten DFAS field\n                                                                OMB A-130 and DoD guidance.                       sites, DFAS-Rome, DFAS-Denver, DFAS-\n                                                                                                                  San Antonio, DFAS-Lawton, DFAS-\n                                                                                                                  Columbus, DFAS-Indianapolis and DFAS-\n                                                                                                                  Pacific, DFAS-Seaside DFAS field sites\n                                                                                                                  could not:\n                                                                                                                  \xe2\x80\xa2 Identify all TAPS modes (access\n                                                                                                                       privileges) assigned to users;\n                                                                                                                  \xe2\x80\xa2 Determine whether users had\n                                                                                                                       inappropriate access to TAPS modes,\n                                                                                                                       based on job responsibilities; and\n                                                                                                                  \xe2\x80\xa2 Determine whether manually derived\n                                                                                                                       and maintained access control lists\n                                                                                                                       accurately reflected the user\n                                                                                                                       population.\n\n\n                                                                                                              \xe2\x80\xa2   Of the ten DFAS field sites, nine field sites\n                                                                                                                  (DFAS-Rome, DFAS-Denver, DFAS-\n                                                                                                                  Lawton, DFAS-San Antonio, DFAS-\n                                                                                                                  Columbus, DFAS-Seaside, DFAS-\n                                                                                                                  Indianapolis, DFAS-Pacific and DFAS-\n                                                                                                                  Japan) either used locally developed or had\n\n\n\n                                                                         74\n\x0cControl Description   Tests of Operating Effectiveness                 Results of Tests of Operating Effectiveness\n                                                                          not documented procedures for granting,\n                                                                          approving, monitoring, recertifying, and\n                                                                          removing user access to STANFINS and\n                                                                          the ELAN.\n\n                      \xe2\x80\xa2   Inspected access forms for a random sample   \xe2\x80\xa2   Six of ten DFAS user sites did not have\n                          of users of STANFINS (at the application         complete or existing authorizations for\n                          and network level) to determine whether          STANFINS users as follows:\n                          management authorized access.                    DFAS-Denver:\n                                                                           \xe2\x80\xa2 18 STANFINS user access forms did\n                                                                               not have an ELAN Account Request\n                                                                               Form on file.\n                                                                           DFAS-Pacific:\n                                                                           \xe2\x80\xa2 Justification for STANFINS user\n                                                                               access was pre-populated on user\n                                                                               access forms by the TASOs and may\n                                                                               not support actual needs.\n                                                                           \xe2\x80\xa2 The functional data owner\xe2\x80\x99s signature\n                                                                               was missing from TAPS user request\n                                                                               forms on two of the eight forms\n                                                                               inspected.\n                                                                           DFAS-Japan:\n                                                                           \xe2\x80\xa2 Four out of 31 ELAN access request\n                                                                               forms that users filled out in 1998 did\n                                                                               not have an approval (signature).\n                                                                           \xe2\x80\xa2 Two external ELAN users had not\n                                                                               signed user agreements.\n                                                                           \xe2\x80\xa2 Seven out of 53 DD 2875/DISA 41\n                                                                               forms did not contain a business reason\n                                                                               for the access request.\n                                                                           \xe2\x80\xa2 One out of 53 DD 2875/DISA 41\n                                                                               forms did not contain a business case\n                                                                               that adequately explained the reason\n                                                                               for the access request.\n                                                                           \xe2\x80\xa2 One out of 26 Defense Internet Service\n                                                                               Provide (DISP) User Access Request\n                                                                               forms could not be found.\n                                                                           \xe2\x80\xa2 Two out of 26 user access forms were\n\n\n                                   75\n\x0cControl Description   Tests of Operating Effectiveness   Results of Tests of Operating Effectiveness\n                                                                 not signed by the TASO.\n                                                            \xe2\x80\xa2 One out of 26 user access forms did\n                                                                 not contain a supervisor signature or a\n                                                                 business case justification.\n                                                            DFAS-Rome:\n                                                            \xe2\x80\xa2 Three out of 30 user access forms did\n                                                                 not have authorization documentation\n                                                                 available.\n                                                            \xe2\x80\xa2 11 of 29 users with DISP accounts did\n                                                                 not have a DISP user access request\n                                                                 form with the appropriate approvals\n                                                                 and/or justification. Two of these\n                                                                 users had STANFINS accounts.\n                                                            DFAS-San Antonio:\n                                                            \xe2\x80\xa2 32 out of 41 LAN user access forms\n                                                                 did not have an access request form on\n                                                                 file.\n                                                            DFAS-Seaside:\n                                                            \xe2\x80\xa2 68 of 72 access request forms did not\n                                                                 include an adequate business\n                                                                 reason/justification for the access\n                                                                 requested.\n                                                            \xe2\x80\xa2 46 of 72 access request forms had a\n                                                                 pre-populated response that included\n                                                                 the type of access the user needed, but\n                                                                 did not justify the access.\n                                                            \xe2\x80\xa2 Three out of 31 internal LAN user\n                                                                 access forms did not have the\n                                                                 functional data owner\xe2\x80\x99s signature.\n                                                            \xe2\x80\xa2 14 of 31 internal LAN user access\n                                                                 forms did not have the original user\n                                                                 access request form used to create their\n                                                                 account.\n                                                            \xe2\x80\xa2 Four of 31 internal users\xe2\x80\x99 access\n                                                                 request forms were not signed by the\n                                                                 information security officer.\n                                                            \xe2\x80\xa2 There was no evidence of LAN access\n                                                                 request forms or DISP user access\n\n\n                                   76\n\x0cControl Description                                        Tests of Operating Effectiveness                 Results of Tests of Operating Effectiveness\n                                                                                                                    request forms being used prior to\n                                                                                                                    February 10, 2005.\n\n                                                           \xe2\x80\xa2   Inquired of DFAS ISSOs/TASOs, as well as     \xe2\x80\xa2   At DFAS-Japan, DFAS-Lawton, DFAS-\n                                                               DFAS field site supervisors, and inspected       San Antonio, DFAS-Pacific, DFAS-Rome\n                                                               user access listings to TAPS/STANFINS to         and DFAS-Seaside, users had access that\n                                                               determine whether user access was                was not required by their job\n                                                               commensurate with job responsibilities.          responsibilities.\n\nControl Activity:\nCC-3.3 Movement of programs and data among libraries is controlled.\nDISA\nProduction program changes are migrated by DISA DECC-St.    \xe2\x80\xa2 Inquired of the TSB Chief and inspected       \xe2\x80\xa2   No exceptions noted.\nLouis personnel. DISA DECC-St. Louis personnel receive        policies and procedures regarding movement\nchanges from authorized points of contact and implement       of STANFINS programs among libraries.\nchanges in the production environment as directed by DFAS\nPOCs.\nDFAS\nDFAS has documented a change control process and work flow \xe2\x80\xa2 Inspected a work flow diagram regarding        \xe2\x80\xa2   No exceptions noted.\nplan that details how each change is identified, requested,   movement of STANFINS programs among\napproved, and moved along the appropriate libraries.          libraries.\n\n\n\n\n                                                                        77\n\x0cSystem Software (SS)\n\nControls provide reasonable assurance that the implementation of new system and vendor-supplied software and utilities and changes to existing\nsystem and vendor-supplied software and utilities are authorized, tested, approved, properly implemented, and appropriately documented.\n\nControl Description                                                Tests of Operating Effectiveness                    Results of Tests of Operating Effectiveness\nControl Activity:\nSS-1.1 Access authorizations are appropriately limited.\nDISA\nPolicies for restricting access to systems software are detailed   \xe2\x80\xa2   Inspected Top Secret and Access Control         \xe2\x80\xa2   DECC users had \xe2\x80\x9cWrite\xe2\x80\x9d or \xe2\x80\x9cAllocate\xe2\x80\x9d\nin the OS/390 STIG. The document establishes guidelines for            Facility 2 (ACF2) STANFINS-related                  access to STANFINS production\nrestricting access to sensitive system datasets. The network           domain ACLs to determine whether access to          application datasets on two of five ACF2\ndevice control policy is detailed in the Network Infrastructure        system software datasets and utilities was          ASIMS domains and excessive access on\nSTIG, which outlines access restrictions to network devices,           limited.                                            the Top Secret ASIMS Far East domain.\nand also details the secure configuration of network devices.\n                                                                                                                       \xe2\x80\xa2   Access to SYS1 datasets was assigned\nThe Executive Software Configuration Control Board                                                                         inconsistently across the ACF2 ASIMS\n(ESCCB) uses a Web-based application, the Software Factory,                                                                domains. Additionally, access to SYS1\non software package distribution database, to receive all                                                                  datasets was not based on segregation of\nsoftware configuration change requests and then routes them to                                                             duties principles for the ACF2 and Top\nthe appropriate ESCCB staff and board for approval. The                                                                    Secret domains.\nSoftware Factory does not allow access to the software unless\nthe individual is listed on an authorized user listing. The                                                            \xe2\x80\xa2   DISA DECC-St. Louis did not restrict\nindividual must have permissions established within Resource                                                               access to sensitive system software utilities\nAccess Control Facility (RACF) and must also match the                                                                     on the ACF2 domains via the Protected\nauthorized user listing of the Software Factory application.                                                               Program List (PPGM), as required by the\nAdditionally, when the individual accesses the Software                                                                    OS/390 STIG. For Top Secret, access to\nFactory, the system is automatically configured to distribute e-                                                           sensitive utilities on the Top Secret\nmail notifications to designated points of contact at the DISA                                                             ASIMS Far East domain was not restricted\nDECC-Mechanicsburg, DISA DECC-St. Louis, and SSO-                                                                          based on segregation of duties principles.\nMechanicsburg.\n                                                                   \xe2\x80\xa2   Inspected the listing of authorized users for   \xe2\x80\xa2   At the DECC-Mechanicsburg, two\n                                                                       Software Factory and RACF at DISA                   individuals on the listing no longer\n                                                                       DECC-Mechanicsburg and DISA DECC-St.                required access to the Software Factory.\n                                                                       Louis and inquired of DISA DECC-St. Louis\n                                                                       TSB Chief to determine whether user access      \xe2\x80\xa2   At DECC-St. Louis, users had access to\n                                                                       was commensurate with job responsibilities.         sensitive datasets that were not necessary\n                                                                                                                           for their job responsibilities.\n\n\n\n\n                                                                                78\n\x0cControl Description                                              Tests of Operating Effectiveness                   Results of Tests of Operating Effectiveness\nControl Activity:\nSS-2.1 Policies and techniques have been implemented for using and monitoring use of system utilities.\nDISA\nMainframe audit log policies are outlined in the OS/390 STIG,    \xe2\x80\xa2 Inquired of security administrators and          \xe2\x80\xa2   No audit log was created for the use of\nVolume 1. The OS/390 STIG requires review of dataset access          inspected policy statements related to audit       sensitive system utilities on the ACF2\nviolations, resource violations, and program use violations on a     logging and compared results to audit              domains; thus, DISA DECC-St. Louis\ndaily basis and requires review of the failed log-on attempts        settings of security software.                     could not review program use violations.\nand security privileges on a weekly/monthly basis. Security\nreports for the six STANFINS-related ASIMS domains (five                                                            \xe2\x80\xa2   Top Secret was not consistently configured\nACF2 and one Top Secret domain) are available for DISA                                                                  to generate audit logs for all sensitive\nDECC-Mechanicsburg and DISA DECC-St. Louis to monitor.                                                                  utilities; thus, DISA DECC-St. Louis could\n                                                                                                                        not review program use violations.\nControl Activity:\nSS-2.2 Inappropriate or unusual activity is investigated and appropriate actions taken.\nDISA\nDISA DECC-Mechanicsburg implemented an audit log review           \xe2\x80\xa2 Inquired to determine whether all changes to    \xe2\x80\xa2   Log data of changes to ACF2 and Top\nspreadsheet as of January 3, 2005, which is used to identify        security profiles by security managers were         Secret security profiles were not\nactivities that warrant follow-up. The audit log review             automatically logged and periodically               consistently maintained and archived on\nspreadsheets for each domain are made available to senior           reviewed by management independent of the           the mainframe across the six ASIMS (one\nmanagement via shared network folders. The Security                 security function. Inquired of security             Top Secret, five ACF2) domains. As a\nDivision Branch Chief will periodically monitor these files to      administrators and inspected logs to                result:\nhelp ensure the logs are monitored and to review trends.            determine whether unusual activity was              \xe2\x80\xa2 No ACF2 log review evidence existed,\nDISA DECC-Mechanicsburg relies on the automated security            investigated.                                           to include changes to ACF2 security\nreporting features of ACF2. ACF2 generates reports from raw                                                                 profiles, or violation logs prior to\nSystem Management Facility (SMF) records based on type of                                                                   January 3, 2005.\nactivity (e.g., log-on ID modification, dataset access violation,                                                       \xe2\x80\xa2 No Top Secret log review evidence\netc.). Similarly, DISA DECC-St. Louis relies on the automated                                                               existed, to include changes to security\nsecurity reporting features of Top Secret.                                                                                  profiles, or violation logs.\nThe OS/390 STIG requires the DECC to review the ACF2 and                                                                \xe2\x80\xa2 Sufficient contact information did not\nTop Secret global control options at least quarterly to                                                                     exist to adequately follow-up on issues\ndetermine whether any changes were authorized and necessary.                                                                identified during review of the logs.\n                                                                                                                            The contacts listed on the logs were\n                                                                                                                            not the appropriate contacts.\n\nControl Activity:\nSS-3.1 System software changes are authorized, tested, and approved before implementation.\nDISA\nDISA DECC-St. Louis uses change request templates for        \xe2\x80\xa2 Inquired of the DISA DECC-St. Louis TSB              \xe2\x80\xa2   DISA did not develop system software\n\n\n                                                                               79\n\x0cControl Description                                              Tests of Operating Effectiveness                 Results of Tests of Operating Effectiveness\nsystem software changes. Configuration Control Board (CCB)           Chief regarding procedures for making           change management procedures detailing\nInstructions to be Followed for Preparation of Configuration         changes to system software supporting           specific DECC roles, responsibilities, and\nChange Proposal (CCP) requires the following details for             STANFINS.                                       procedures regarding identification of\nchanges: major project/goal, change description, scope of                                                            system software problems, testing of\nchange, domains affected, back-out procedures, downtime, and                                                         changes, impact analyses, approvals,\nspecial instructions.                                                                                                implementation and verification, and\n                                                                                                                     documentation requirements.\nSSO Mechanicsburg is responsible for building, testing, and\ndistributing implementation-ready Mainframe Executive            \xe2\x80\xa2   Inspected system software change logs to     \xe2\x80\xa2   No audit log was created for the use of\nSoftware Suites for all test and production LPARs. This              determine whether system software changes        sensitive system utilities on the ACF2\nincludes all software changes, releases, maintenance, and            on the STANFINS-related mainframe                domains; thus, DISA DECC-St. Louis\nupgrades. The DECC and SSO technical staff participate in            domains were tracked.                            could not review program use violations.\ntesting of system software changes, coordinate the scheduling,\ncustomer interfaces and administrative changes, implement the                                                     \xe2\x80\xa2   Top Secret was not consistently configured\nrevised software suites, and provide operational technical                                                            to generate audit logs for all sensitive\nsupport.                                                                                                              utilities; thus, DISA DECC-St. Louis could\n                                                                                                                      not review program use violations.\nIf the proposed change impacts DISA DECC-St. Louis\ncustomers, a formal synopsis of the change is sent to the        \xe2\x80\xa2   Selected a random sample of changes to       \xe2\x80\xa2   DISA SSO and DISA DECC-St. Louis\ncustomers affected for coordination purposes.                        STANFINS system software/DB changes to           lacked change documentation that included\n                                                                     determine whether required documentation         detailed information about the change,\nThe REMEDY help desk ticket system tracks any identified             was present.                                     such as test results or impact analysis.\nproblems.\n\nEmergency system software changes follow the same process\n                                                                 \xe2\x80\xa2   Inspected the notification e-mails for       \xe2\x80\xa2   No exceptions noted.\nas any other system software change, only the process is\n                                                                     STANFINS changes applied during the\nexpedited.\n                                                                     examination period to determine whether\n                                                                     implementation dates for STANFINS were\nSSO is responsible for the standardization and optimization of\n                                                                     communicated to personnel implementing\nthe executive software suites for all DECCs. The Executive\n                                                                     the changes in the TSB.\nSupport Plan documents and delegates these responsibilities to\nthe SSO. The support plan states that the SSO will provide\nthree levels of support: Standard Operating Environment          \xe2\x80\xa2   Inquired of STANFINS system owners and       \xe2\x80\xa2   DISA did not develop system software\n(SOE), Centrally Supported Systems (CSS), and Consolidated           System Administrators to determine whether       change management procedures detailing\nMaintenance Contract (CMC).                                          procedures were developed and documented         specific DECC roles, responsibilities, and\n                                                                     for identifying and recording and tracking       procedures regarding identification of\nDISA DECC-Mechanicsburg employs a change management                  STANFINS-related system software                 system software problems, testing of\nprocess for all software changes/requests called the ESCCB.          problems.                                        changes, impact analyses, approvals,\nAn individual making a request for a change to or for new                                                             implementation and verification, and\n\n\n\n                                                                              80\n\x0cControl Description                                                Tests of Operating Effectiveness                    Results of Tests of Operating Effectiveness\nsoftware must submit a request via a Web-based form. The                                                                  documentation requirements.\nESCCB board meets on a weekly basis to review the requests\nsubmitted over the past week. The policies and procedures of       \xe2\x80\xa2   Inspected vendor support agreements to          \xe2\x80\xa2   No exceptions noted.\nthe board set forth the process for submission and approval of         determine whether they were current and\nchange requests.                                                       provided coverage for computer assets.\n\nApplicable domains track system software changes.                  \xe2\x80\xa2   Inquired of management to determine             \xe2\x80\xa2   The TSB migrated tested and approved\n                                                                       whether tested and approved STANFINS                system software changes; however, there\n                                                                       system software migrated to the production          were no documented policies requiring\n                                                                       environment was performed by an                     migration of system software changes into\n                                                                       independent library control group.                  production by an independent library\n                                                                                                                           control group. The same person could\n                                                                                                                           develop/identify the change request, test\n                                                                                                                           the proposed change, and implement the\n                                                                                                                           change.\n\n                                                                   \xe2\x80\xa2   Compared user listings for individuals with     \xe2\x80\xa2   At the DECC-Mechanicsburg, two\n                                                                       access to migrate changes into the production       individuals listed as authorized users for\n                                                                       environment to determine whether it was             the Software Factory no longer required\n                                                                       commensurate with job responsibilities.             access.\n\n                                                                   \xe2\x80\xa2   Inquired of DISA DECC-St. Louis TSB             \xe2\x80\xa2   No exceptions noted.\n                                                                       Branch Chief and inspected documentation\n                                                                       system-generated inventories to determine\n                                                                       whether DISA DECC-St. Louis maintained\n                                                                       an inventory of programs on STANFINS-\n                                                                       related mainframe domains.\nDFAS\nThe CDOIM/DOIM is responsible for locally identifying and          \xe2\x80\xa2   Inquired of the TSO and CDOIM IT                \xe2\x80\xa2   No exceptions noted.\ntracking problems related to STANFINS. CDOIM/DOIM                      Specialists and inspected CDOIM Operations\nmaintains a copy of a log of all system problems. The log itself       Management Plan to determine whether\nis not STANFINS specific; however, problems related to                 procedures existed for identifying and\nSTANFINS are on the list.                                              documenting STANFINS-related system\n                                                                       software changes.\nControl Activity:\nSS-3.2 Installation of system software is documented and reviewed.\nDISA\nDISA DECC-St. Louis tests patches, upgrades, and new system \xe2\x80\xa2 Inspected system software change logs to                 \xe2\x80\xa2   No audit log was created for the use of\n\n\n\n                                                                                81\n\x0cControl Description                                             Tests of Operating Effectiveness                 Results of Tests of Operating Effectiveness\nsoftware depending on the nature of the change or product.          determine whether system software changes       sensitive system utilities on the ACF2\n                                                                    on the STANFINS-related mainframe               domains; thus, DISA DECC-St. Louis\nDISA DECC-St. Louis maintains a list of all software on their       domains were tracked.                           could not review program use violations.\nsystems in the Integrated Assets Configuration Management\nSystem database.                                                                                                 \xe2\x80\xa2   Top Secret was not consistently configured\n                                                                                                                     to generate audit logs for all sensitive\n                                                                                                                     utilities; thus, DISA DECC-St. Louis could\nAny request for new system software or upgrades to existing                                                          not review program use violations.\nsystem software must be coordinated through the SSO. The\nSSO packages all software for transmission to DISA DECC-St.\n                                                                                                                 \xe2\x80\xa2   DISA SSO and DISA DECC-St. Louis\nLouis.                                                          \xe2\x80\xa2   Selected a random sample of changes to           lacked change documentation that included\n                                                                    STANFINS system software/DB changes to           detailed information about the change,\n                                                                    determine whether required documentation         such as test results or impact analysis.\n                                                                    was present.\n\n                                                                                                                 \xe2\x80\xa2   No exceptions noted.\n                                                                \xe2\x80\xa2   Inquired of DISA DECC-St. Louis TSB\n                                                                    Branch Chief and inspected system-\n                                                                    generated inventories to determine whether\n                                                                    DISA DECC-St. Louis maintained an\n                                                                    inventory of programs on STANFINS-related\n                                                                    mainframe domains.\n\n\n\n\n                                                                            82\n\x0cService Continuity (SC) \xe2\x80\x93 Backup and Recovery\n\nControls provide reasonable assurance that computer systems are backed up on a periodic basis and that procedures are employed to maintain the\nintegrity of media.\n\nControl Description                                              Tests of Operating Effectiveness                    Results of Tests of Operating Effectiveness\nControl Activity:\nSC-2.1 Data and program backup procedures have been implemented.\nDISA\nIndividual jobs are created to run the routine backups based on  \xe2\x80\xa2 Inquired of the Operations Manager                \xe2\x80\xa2   No exceptions noted.\nthe domains that STANFINS resides on. A weekly backup job            regarding the backup process and inspected\nfor the ASIMS domain is executed between Sunday evening              the backup procedures to determine whether\nand Monday morning. During the same weekly backup cycles,            a process was developed and documented.\noperating system and system utility programs are also backed\nup. Application and operating system/system software utility     \xe2\x80\xa2 Inquired of Chief of the Capacity                 \xe2\x80\xa2   No exceptions noted.\nprograms are not backed up to the same piece of media or             Management Branch (CMB) and inspected\ncollocated during storage.                                           checklists for backing up STANFINS\n                                                                     application files and programs, and key GSS\nWithin 1 or more of 49 StorageTek tape management silos              operating systems, configurations, and tape\nlocated at the DISA DECC-St. Louis, backups are recorded to          library procedures to determine whether a\ndata tapes, which are ejected and placed into fireproof storage      process was developed and documented to\nin a locked tape library until they are rotated to the off-site      regularly back up data and programs.\nstorage location. Tape library procedures outline tape handling\nprocedures and responsibilities.\n                                                                 \xe2\x80\xa2 During a tour of the computer center,             \xe2\x80\xa2   No exceptions noted.\n                                                                     observed equipment to note whether tape\nThe tape management system provides for an index of backup\n                                                                     management silos were used for physical\ntapes, backup statuses, rotation schedules, etc. When data is\n                                                                     tape management during the backup\nrecorded to backup tapes erroneously due to program failure or\n                                                                     process.\ntape media integrity issues, the tape management system\nautomatically detects these errors and produces reports that\nidentify tapes containing errors. Additionally, the integrity of \xe2\x80\xa2 Observed a weekly COOP dump process to            \xe2\x80\xa2   No exceptions noted.\ntape media is tested during the annual Continuity of Operations      verify that secondary tapes were created and\nPlan (COOP) exercise during which backup tapes are restored,         sent to the offsite storage facility.\nas well as by the tape management system immediately after\nthe creation of the backup.                                      \xe2\x80\xa2 Inspected individual pickup/delivery              \xe2\x80\xa2   No exceptions noted.\n                                                                     receipts from July 2004 to October 2004 to\nBackup tapes are rotated off-site for three weeks and then           determine whether tapes were picked up for\nreturned to the DISA DECC-St. Louis facility for reuse. The          off-site storage and returned by the off-site\nonly time the tapes are deposited or removed are during the          storage vendor.\n\n\n\n                                                                               83\n\x0cControl Description                                                 Tests of Operating Effectiveness                     Results of Tests of Operating Effectiveness\nweekly delivery/pickup of the off-site storage vendor. These\nactions are logged through the required delivery/pickup             \xe2\x80\xa2   Inspected the offsite inventory listing that     \xe2\x80\xa2   No exceptions noted.\nreceipts. During transit to and from the off-site storage               accompanies the tapes to the offsite storage\nlocation, tapes are stored in fireproof containers.                     facility that contained creation and\n                                                                        expiration dates of the tapes and specific\nThe off-site processing facility is physically removed from the         storage/rotation requirements to determine\nDISA DECC-St. Louis backup storage site; approximately 35               whether an inventory was documented.\nmiles separate the DECC from the backup storage site.\n                                                                    \xe2\x80\xa2   Inquired of the Chief of the CMB and             \xe2\x80\xa2   No exceptions noted.\nDISA has contracted with the off-site storage facility to provide       inspected COOP test results to determine\nfor physically secure and environmentally sound storage of              whether tapes were tested during the annual\nbackup tapes, which are accessible for disaster/recovery 24             COOP exercise, as well as by the tape\nhours a day/ 365 days of the year.                                      management system immediately after\n                                                                        creation of the backup.\n\n                                                                    \xe2\x80\xa2   Inquired of Chief of the Security Division       \xe2\x80\xa2   No exceptions noted.\n                                                                        and Chief of the CMB and inspected the\n                                                                        contract with the offsite storage provider to\n                                                                        determine whether the offsite storage was\n                                                                        geographically removed from the DECC.\n\n                                                                    \xe2\x80\xa2   Inspected the contract for storage services to   \xe2\x80\xa2   No exceptions noted.\n                                                                        determine whether a current agreement\n                                                                        existed between the offsite storage provider\n                                                                        and the DISA DECC-St. Louis.\n\n\n\n\n                                                                                  84\n\x0cService Continuity (SC) \xe2\x80\x93 Physical Computer Asset Protection\n\nAdministrative and operational controls should be established to provide reasonable assurance of the protection of physical computing assets.\n\nControl Description                                              Tests of Operating Effectiveness                   Results of Tests of Operating Effectiveness\nControl Activity:\nSC-2.2 Adequate environmental controls have been implemented.\nDISA\nDISA leases the DECC facility from the GSA. In addition to       \xe2\x80\xa2 Inspected the contract between GSA and           \xe2\x80\xa2   No exceptions noted.\nits capacity as leaseholder, GSA is responsible for maintaining      DISA to determine responsibilities for\nenvironmental control devices (i.e., fire suppression systems;       maintenance of environmental protection\nheating, ventilation, and air conditioning (HVAC); generators,       mechanisms.\netc.) and periodically inspects them to observe that they are\nworking properly. Because GSA is responsible for the             \xe2\x80\xa2 Toured the DECC facility and observed            \xe2\x80\xa2   No exceptions noted.\nmaintenance of environmental controls, the appropriate GSA           physical environment protection\npersonnel undergo initial and periodic training in the operation     mechanisms to note whether the following\nand support of the environmental controls.                           controls were placed into operation:\n                                                                     \xe2\x80\xa2 Smoke detectors;\nFire detection and suppression systems have been installed at\nthe DECC. Within the DECC\xe2\x80\x99s data center there are three              \xe2\x80\xa2 Raised flooring;\nlevels of smoke detection. There are smoke detectors placed          \xe2\x80\xa2 Dry pipe sprinkler systems;\nbelow the raised floor, mid-way up the data center walls, and        \xe2\x80\xa2 Fire extinguishers;\non the ceiling of the data center. Each smoke detector can           \xe2\x80\xa2 HVAC systems;\nindependently detect the presence of smoke. A dry pipe               \xe2\x80\xa2 Humidity monitors and alarms;\nsprinkler system is activated upon triggering of the alarm           \xe2\x80\xa2 UPS;\nsystem. There are also a total of 19 fire extinguishers\n                                                                     \xe2\x80\xa2 Diesel generators;\nthroughout the data center. Additionally, smoke detectors are\ninstalled in the administrative/office areas of the DECC. GSA        \xe2\x80\xa2 Emergency lighting;\nperforms an annual test of each smoke detector in the DISA           \xe2\x80\xa2 Exit signs; and\nDECC-St. Louis facility.                                             \xe2\x80\xa2 Emergency power cut-off buttons.\n\nThere are four chilling units that support the HVAC system in      \xe2\x80\xa2   Inspected a contract regarding testing and   \xe2\x80\xa2   No exceptions noted.\nplace for the data center. Because only one unit is required to        equipment maintenance for the following\ncool the entire data center, the HVAC system is redundantly            environmental protection mechanisms:\narchitected to provide uninterrupted cooling for the data center       \xe2\x80\xa2 Fire suppression devices;\nshould units simultaneously fail.                                      \xe2\x80\xa2 Diesel generators and engine controls;\nHumidity controls are placed throughout the data center, and\n                                                                       \xe2\x80\xa2 Underground storage tank;\npersonnel monitor them. Automated monitors poll gauges                 \xe2\x80\xa2 Switchgear system;\n\n\n                                                                                85\n\x0cControl Description                                                  Tests of Operating Effectiveness                Results of Tests of Operating Effectiveness\nhourly and compare humidity levels to predefined \xe2\x80\x9cacceptable\xe2\x80\x9d            \xe2\x80\xa2 Day tank and fuel storage/handling\nthresholds. Humidity gauges are linked to an alarm in the                    system;\nSMC. GSA personnel monitor and adjust the humidity controls              \xe2\x80\xa2 Ancillary and accessories equipment\nand the other environmental controls located in the SMC.                     systems;\n                                                                         \xe2\x80\xa2 Lubrication system;\nDISA DECC-St. Louis\xe2\x80\x99s power supply is configured to switch\nautomatically between the two commercial power feeds should              \xe2\x80\xa2 HVAC;\none line fail. An Uninterruptible Power Supply (UPS)                     \xe2\x80\xa2 Ventilation and exhaust system;\nconditions electricity flowing on the feeds to eliminate spikes          \xe2\x80\xa2 Starting batteries and charging system;\nand sags. In the event that both commercial power feeds fail,                and,\nthe system is configured to automatically switch to battery              \xe2\x80\xa2 Safety Shutdown & Alarm system.\npower provided by the UPS while one or more of the four\nbackup diesel generators are started. The transition usually         \xe2\x80\xa2   Inquired of the Chief of the TSB and        \xe2\x80\xa2   No exceptions noted.\ntakes less than one minute. Once the diesel generators are               inspected recovery plan documents to\nrunning, the power feed is automatically switched to the diesel          determine whether SLAs were arranged\ngenerator(s).                                                            with IT equipment vendors to provide for\n                                                                         two-hour response times.\nGSA activates the generators twice a year for testing purposes\nand services generators with regular and as-necessary\nmaintenance.\n\nEmergency lighting during emergency exits and evacuation\nroutes do not provide an exact route; however, they are\nadequate for providing lighting to escape the building. Exit\nsigns are displayed and illuminated at all times for easy\nidentification in an emergency.\n\nThere is a red emergency cut-off button near the two main\nentrances to the DECC\xe2\x80\x99s data center. The button is labeled and\nprotected by a clear plastic cover to prevent accidental shut-off.\n\nDISA maintains service contracts with IT equipment vendors\nthat provide for two-hour response times in service level\nagreements (SLAs).\n\n\n\n\n                                                                                  86\n\x0cAuthorization (AN)\n\nControls provide reasonable assurance that only authorized transactions are entered into and processed by the system.\n\n\nControl Description                                             Tests of Operating Effectiveness                    Results of Tests of Operating Effectiveness\nControl Activity:\nAN-1.1 Source documents are controlled and require authorizing signatures.\nDFAS\nBased on their origination point, transactions require          AVK018 Report:                                      \xe2\x80\xa2   Of 9 DFAS Field Sites tested, DFAS-\nauthorization from the appropriate Installation Representative  \xe2\x80\xa2 Observed the entry of invalid alphanumeric            Indianapolis, DFAS-Seaside, DFAS-Japan,\n(i.e., Budget Officer, Program Director) or DFAS.                   characters, incomplete fields, incorrect            DFAS-Lawton, DFAS-Rome, DFAS-\n                                                                    APCs, and invalid total cards. Inspected            Columbus, DFAS-Pacific, and DFAS-San\nInstallation-Originating Transactions                               documentation to verify the error was               Antonio, no standard procedures were\nInstallations send key source documents such as Transmittal         included in the AVK018 report with                  maintained or enforced to ensure that errors\nLetters (TLs), FADs, APC, Add/Change requests, or other             appropriate coding. Verified that report was        were properly reconciled, authorized,\nrequests to generate a transaction to DFAS via mail, e-mail,        being reviewed to correct exceptions.               corrected, and documented.\nand fax. Each of the significant classes of transactions can\noriginate from the installation including Funding, Obligations,                                                     \xe2\x80\xa2   DFAS-Denver, DFAS-Pacific, DFAS-\nDisbursements, Transactions by Others (TBO), Collections,                                                               Rome, DFAS-Seaside, DFAS-Indianapolis,\nReimbursables, and APC Masterfile Maintenance. The                                                                      DFAS-Columbus. DFAS-Japan, DFAS-San\nauthorization process is the same for each.                                                                             Antonio and DFAS-Lawton did not\n                                                                                                                        maintain documented evidence/signatures or\nThe DFAS Accounting Technician performs a visual review to                                                              note who performed the corrections and\ndetermine whether an appropriate individual has authorized the                                                          whether the correction was appropriate..\nkey source document. DFAS maintains an authorized point of       Control Cards\ncontact listing for each of their customers and/or signature     \xe2\x80\xa2  Inquired of management to determine             \xe2\x80\xa2   DFAS-Denver, DFAS-San Antonio, DFAS-\nverification cards to aid Accounting Technicians in the             whether accounting technicians and                  Seaside, DFAS-Rome. and DFAS-Pacific of\nperformance of their reviews. Should DFAS obtain source             supervisors validated the data input into the       the 6 sites tested, did not maintain\ndocuments from individuals not identified as authorized points      STANFINS daily cycle. Inspected evidence            documented standard operating procedures\nof contact, DFAS will not process the request and contact the       of control was documented.                          related to the review of the control cards.\nappropriate authorized point of contact for resolution.\n\nDFAS-Originating Transactions                                                                                       \xe2\x80\xa2   DFAS-Orlando, DFAS-Indianapolis, DFAS-\nTransactions originating within DFAS include error                                                                      Denver, DFAS-San Antonio and DFAS-\ncorrections, journal vouchers, and control cards.                                                                       Columbus did not perform an independent\n                                                                                                                        or supervisory review of the control cards.\nError Corrections\nThe AVK018, Daily Preliminary Balance, is the primary report\nused to identify data entry errors. Control Group or\n\n\n                                                                              87\n\x0cControl Description                                               Tests of Operating Effectiveness              Results of Tests of Operating Effectiveness\nAccounting Technicians use OLRV to retrieve the AVK018\nreport. The Accounting Technician reviews the report,\nperforms research, and hand marks the types of corrective\naction needed on the report (generally via an update entered by\nthe Accounting Technician through the TAPS). The error\ncorrection is applied upon the original block ticket number\nassigned in STANFINS unless the transaction is released\n(deleted) and re-input. DFAS Accounting Technicians and\nAccountants have been identified as trusted agents on behalf of\nthe DFAS and the installation, and as such, do not obtain\nadditional authorization to correct transaction errors.\n\nControl Cards\nControl cards, or the files that are used to set various\nparameters that control that day\xe2\x80\x99s STANFINS batch processing\ncycle are either manually input or set within STANFINS via a\nmacro program (a preprogrammed series of computer\ncommands). Parameters set within control cards are visually\nreviewed to determine whether they were input properly. Some\nDFAS sites make a notation on printouts as evidence of their\nreview, while others perform a visual review with no notations.\nSome DFAS sites maintain the reports while others do not.\nThe Systems Office generates the cycles each day at a\nscheduled time or upon request of the Accountant/Accounting\nTechnician.\nControl Activity:\nAN-2.1 Data entry terminals are secured and restricted to authorized users.\nDISA\nThe DISA Computing Services Security Handbook details           \xe2\x80\xa2 Inspected policies and procedures for         \xe2\x80\xa2   No exceptions noted.\ngranting access to system resources.                              granting and monitoring access to\n                                                                  STANFINS IT resources.\nUsers at the DISA DECC-St. Louis have access to STANFINS\napplication production files and data as necessary to support   \xe2\x80\xa2 Inquired of DISA DECC-St. Louis Security      \xe2\x80\xa2   No exceptions noted.\nsystem operation and respond to customer requests. DECC           Division Branch Chief to determine the\nusers also have access to the mainframe GSS where the             process for granting access to STANFINS\napplication resides. The DECC is responsible for creating and     and the GSS.\nmaintaining DECC user accounts, as well as DFAS ISSO and\nTASO accounts at customer sites. The local ISSO/TASO is\n                                                                \xe2\x80\xa2 Inspected access control procedures to        \xe2\x80\xa2   No exceptions noted.\nresponsible for creating and maintaining user accounts at\n                                                                  determine whether the process for granting,\n\n\n                                                                               88\n\x0cControl Description                                                Tests of Operating Effectiveness                   Results of Tests of Operating Effectiveness\ncustomer sites.                                                        monitoring, and removing access to\n                                                                       STANFINS followed Federal (NIST SP\nUsers at the DECC (the majority of which are system software           800-26 \xe2\x80\x93 Logical Access) and DoD\nmaintenance personnel) requiring access to the mainframe               guidance (DoD Instruction 8500.2 \xe2\x80\x93 Remote\nenvironment complete a form DD (Department of Defense)                 Access, Access Procedures, Access Control\n2875 System Authorization Access Request, used for initial             Policies, Contractor and Foreign Nationals\naccess requests, as well as for changes to an account. An              Access, Comprehensive Account\nauthorized supervisor must sign this form, indicating approval         Management, Least Privilege Procedures,\nof the access. Users must possess a security clearance                 Classified Data Protection).\ncommensurate with the classification level of the system in\norder to obtain access. Passwords are communicated to users\nvia secure means, either in person or via e-mail, using separate   \xe2\x80\xa2   Inspected access forms for a random sample     \xe2\x80\xa2   At DISA DECC-St. Louis, we selected 42\ne-mails to transmit user ID and password.                              of users of STANFINS (at the application           users out of 1441 and requested their user\n                                                                       and network level) to determine whether            access request form packets. Out of the\nThe RAS server connections provide direct dial-in access to the        management authorized access).                     sample of 42 packets:\nnetwork. DECC users requesting remote access must submit                                                                  \xe2\x80\xa2 One user did not have a completed\nan approved access request form (Form DD 2875). Remote                                                                        access request form;\naccess is granted to users with a valid need, which must be\n                                                                                                                          \xe2\x80\xa2 Three individuals had at least one\napproved by a supervisor, to access the network remotely.\n                                                                                                                              access request form without a Security\nTypically, users are granted remote access in order to respond\n                                                                                                                              representative\xe2\x80\x99s signature certifying that\nquickly to emergency situations and resolve problems when not\n                                                                                                                              the individual\xe2\x80\x99s background\nat the DECC facility. After receiving an approved remote\n                                                                                                                              checks/security clearances were\naccess request, the Security Division staff adds the user to the\n                                                                                                                              appropriate;\nRAS server.\n                                                                                                                          \xe2\x80\xa2 Six individuals had at least one access\nThe STANFINS application and the system software it resides                                                                   request form where the user\non are protected through the mainframe access control                                                                         acknowledgement portion was not\napplications CA-ACF2 and CA-Top Secret.                                                                                       signed.\n                                                                   \xe2\x80\xa2   Inquired of DISA DECC-St. Louis Security\n                                                                                                                      \xe2\x80\xa2   DISA DECC-St. Louis did not have a\nDiscretionary access controls are enforced through ACF2 and            Division Branch Chief regarding policies\nTop Secret mainframe security software. Also, access to                                                                   process for recertifying user access to\n                                                                       and procedures for recertifying users access\nshared and networked file systems outside the mainframe                                                                   STANFINS.\n                                                                       in STANFINS.\nenvironment is controlled through discretionary access controls\nenforced through network access privileges.\n                                                                   \xe2\x80\xa2   Obtained and inspected the ACL for\n                                                                                                                      \xe2\x80\xa2   Two separated DISA DECC-St. Louis\n                                                                       STANFINS to determine whether\nThe UML Standardization memo establishes user ID rules for                                                                employees retained access to one or more of\n                                                                       terminated employees had access.\nDECC users. DECC user IDs are configured to identify the                                                                  the domains where STANFINS resides.\nuser\xe2\x80\x99s department, as well as employment status. Additionally,\nthe OS/390 STIG requires a unique ACF2 or Top Secret user\n\n\n\n                                                                                89\n\x0cControl Description                                               Tests of Operating Effectiveness                 Results of Tests of Operating Effectiveness\nID for every user.\n                                                                  \xe2\x80\xa2   Inspected ACL to determine whether           \xe2\x80\xa2   No duplicate accounts were identified. (No\nPasswords are not displayed as a user logs in to the mainframe.       duplicate accounts existed.                      exception noted) However, three accounts\nAfter three invalid log-on attempts, ACF2 automatically                                                                on the Far East domain had no user name\nterminates the session. For the Top Secret domains, Top Secret                                                         associated with the ACID. (Exception\nsuspends the user\xe2\x80\x99s account after two invalid log-on attempts.                                                         noted)\n\nBefore authentication, a warning banner is displayed that         \xe2\x80\xa2   Inspected an ACL of remote users and         \xe2\x80\xa2   Remote access to the DISA DECC-St. Louis\ninforms the user that the system is for authorized use only and       inquired of an ISSO to determine whether         mainframe via telnet was not restricted and\nthat activity will be monitored. The terminal session                 the access was limited, documented, and          not secured via encryption.\nautomatically logs the user off after 15 minutes of inactivity        approved.\nand a screen-lock appears after 15 minutes, which requires the\nuser to re-authenticate in order to re-gain access.\n                                                                  \xe2\x80\xa2   Inquired of Security Division Branch Chief   \xe2\x80\xa2   Minimum password length on each of the\nInactive accounts are suspended after 35 days of inactivity and\n                                                                      and Security Administrators and inspected        five ACF2 ASIMS domains and the one Top\ndeleted after 90 days of inactivity.\n                                                                      ACF2 and Top Secret security settings to         Secret ASIMS domain was configured to six\n                                                                      determine whether the security products          characters, while the OS/390 STIG requires\n                                                                      were configured in accordance with OS/390        passwords have a minimum of eight\n                                                                      STIG guidance to enforce discretionary           characters.\n                                                                      access controls.\n\n                                                                                                                   \xe2\x80\xa2   Users on the Top Secret ASIMS domain\n                                                                                                                       were not required by the system to use a\n                                                                                                                       national character (e.g., $, @, #) when\n                                                                                                                       creating new passwords, as required by the\n                                                                                                                       OS/390 STIG.\n\n                                                                                                                   \xe2\x80\xa2   Users on the ACF2 ASIMS domains were\n                                                                                                                       restricted from using their previous four\n                                                                                                                       passwords; users should be restricted from\n                                                                                                                       using their previous ten passwords as\n                                                                                                                       required by the OS/390 STIG.\n\n                                                                                                                   \xe2\x80\xa2    The Huntsville ASIMS domain had the\n                                                                                                                       JOBCK setting set to NOJOBCK. This\n                                                                                                                       setting did not require ACF2 to verify\n                                                                                                                       whether a user submitting a batch job has\n                                                                                                                       been granted the authority to submit batch\n\n\n\n                                                                               90\n\x0cControl Description   Tests of Operating Effectiveness                   Results of Tests of Operating Effectiveness\n                                                                            jobs.\n\n                                                                         \xe2\x80\xa2   An individual user was assigned to the\n                                                                             Master Central Security Administrator\n                                                                             (MSCA) account on the Top Secret ASIMS\n                                                                             Far East domain. The MSCA designation\n                                                                             allows full system access and is not required\n                                                                             for individual users.\n\n                                                                         \xe2\x80\xa2   26 DECC ACF2 accounts on the ASIMS\n                                                                             domains had passwords that did not expire\n                                                                             (MAXDAYS not specified). 147 DECC\n                                                                             Top Secret accounts on the Far East ASIMS\n                                                                             domains had passwords that did not expire\n                                                                             (Password Interval = 0).\n\n                                                                         \xe2\x80\xa2   DECC users had \xe2\x80\x9cWrite\xe2\x80\x9d or \xe2\x80\x9cAllocate\xe2\x80\x9d\n                                                                             access to STANFINS production\n                                                                             application datasets on two of five ACF2\n                                                                             ASIMS domains and the Top Secret ASIMS\n                                                                             Far East domain.\n\n                                                                         \xe2\x80\xa2   No exceptions noted.\n                      \xe2\x80\xa2   Inspected the UML Standardization memo\n                          to determine whether naming conventions\n                          were established for DECC users.\n\n                      \xe2\x80\xa2   Inquired of Security Division Branch Chief     \xe2\x80\xa2   No exceptions noted.\n                          and system administrators to determine\n                          security procedures for logging on and using\n                          the network. Inspected GSS (mainframe)\n                          policies and procedures to determine\n                          whether security procedures were\n                          documented.\n\n                      \xe2\x80\xa2   Inquired of Security Division Branch Chief     \xe2\x80\xa2   451 ACF2 and 108 Top Secret DECC user\n                          and inspected procedures to determine              accounts across the six STANFINS-related\n                          whether inactive mainframe user accounts           ASIMS domains were inactive for over 180\n                          were monitored and removed when not\n\n\n                                   91\n\x0cControl Description                                              Tests of Operating Effectiveness                  Results of Tests of Operating Effectiveness\n                                                                     needed. Inspected the Top Secret and ACF2        days or had never been used.\n                                                                     STANFINS-related domain ACLs to\n                                                                     determine whether inactive DECC user IDs\n                                                                     were present in the domains.\n\n                                                                 \xe2\x80\xa2   Observed an individual user sign on to the    \xe2\x80\xa2   No exceptions noted.\n                                                                     mainframe to determine whether the\n                                                                     opening screen provided a warning banner\n                                                                     that stated that the system was for\n                                                                     authorized use only and that activity was\n                                                                     monitored.\n\n                                                                 \xe2\x80\xa2   Observed a PC terminal to determine           \xe2\x80\xa2   No exceptions noted.\n                                                                     whether automatic log-off occurred after a\n                                                                     preset number of minutes of inactivity.\n\nDFAS\nThe Procedures for ASIMS Access Controls details policies on     \xe2\x80\xa2   Inspected DFAS policies and procedures to     \xe2\x80\xa2   Of the ten DFAS sites, DFAS-Indianapolis\nsecurity access responsibilities and the process to grant user       determine whether guidance was established        (PMO and TSO), DFAS-Pacific, DFAS-\naccess to STANFINS. DFAS uses user access forms to                   to outline ELAN administrator security            Japan and DFAS-Rome stated that there was\ndocument the establishment, modification, deletion, or               responsibilities.                                 no DFAS service-wide policy or guidance\nsuspension of access to STANFINS IT resources, to include the                                                          document outlining local ELAN\nSTANFINS application, as well as the ELAN, used by DFAS                                                                administrator security responsibilities versus\nadministrative and field sites gain access to STANFINS.                                                                those of centralized groups responsible for\n                                                                                                                       the administration/ monitoring of DFAS-\nTo set up ELAN access, the ELAN administrator, prior to                                                                wide network security.\nestablishing a network user ID and password, must approve the\nELAN user access form via signature. For some sites, a           \xe2\x80\xa2   Inspected access control procedures to        \xe2\x80\xa2   During testing, DFAS field sites were\nseparate security group approves the form via signature.             determine whether the process for granting,       unable to generate STANFINS and TAPS\n                                                                     monitoring, and removing access to                user access lists directly from the security\nUsers must have a TAPS account in order to access the                STANFINS and GSS followed Federal                 system. As a result, of the ten DFAS field\nSTANFINS application. The local TASO/ISSO is responsible             (NIST SP 800-26 \xe2\x80\x93 Logical Access) and             sites, DFAS-Rome, DFAS-Denver, DFAS-\nfor security administration, including the assignment of TAPS        DoD guidance (DoD Instruction 8500.2 \xe2\x80\x93            San Antonio, DFAS-Lawton, DFAS-\naccounts. The ISSO creates user accounts for TAPS/                   Remote Access, Access Procedures, Access          Columbus, DFAS-Indianapolis and DFAS-\nSTANFINS through a tool called VASS. For the majority of             Control Policies, Contractor and Foreign          Pacific, DFAS-Seaside DFAS field sites\nDFAS field sites, Microsoft Excel spreadsheet, Access                Nationals Access, Comprehensive Account           could not:\ndatabase, or other manual means of tracking are used to              Management, Least Privilege Procedures,           \xe2\x80\xa2 Identify all TAPS modes (access\nidentify STANFINS/TAPS users, TAPS mode profiles, and                Classified Data Protection).                           privileges) assigned to users;\nassigned TAPS modes. At DFAS-Orlando and DFAS-Japan,\n\n\n                                                                              92\n\x0cControl Description                                                  Tests of Operating Effectiveness                 Results of Tests of Operating Effectiveness\nTASOs/ISSOs generate ACF2-native listings in order to                                                                    \xe2\x80\xa2 Determine whether users had\nidentify and track who has access to TAPS and STANFINS.                                                                       inappropriate access to TAPS modes,\n                                                                                                                              based on job responsibilities; and\nThe DFAS ISSP provides guidance in conducting monthly                                                                    \xe2\x80\xa2 Determine whether manually derived\nrecertifications of STANFINS and ELAN accounts. The ISSO                                                                      and maintained access control lists\nis responsible for providing each supervisor with a STANFINS                                                                  accurately reflected the user population.\nuser listing of access levels, and it is the supervisor\xe2\x80\x99s\nresponsibility for validating and authorizing user access.\n                                                                                                                      \xe2\x80\xa2   Of the ten DFAS field sites, nine field sites\nRemote network access via the DISP accounts is granted to\n                                                                                                                          (DFAS-Rome, DFAS-Denver, DFAS-\nusers with a valid need, which must be approved by a\n                                                                                                                          Lawton, DFAS-San Antonio, DFAS-\nsupervisor.\n                                                                                                                          Columbus, DFAS-Seaside, DFAS-\n                                                                                                                          Indianapolis, DFAS-Pacific and DFAS-\nSTANFINS application password and user ID rules are\n                                                                                                                          Japan) either used locally developed or had\nconfigured in the security system software maintained by\n                                                                                                                          not documented procedures for granting,\nDISA.\n                                                                                                                          approving, monitoring, recertifying, and\n                                                                                                                          removing user access to STANFINS and the\nDFAS ELAN procedures include requirements that guide\n                                                                                                                          ELAN.\nELAN administrators in the conduct of network security\nadministration.                                                      \xe2\x80\xa2   Inspected access forms for a random sample\n                                                                                                                      \xe2\x80\xa2   Six of ten DFAS user sites did not have\n                                                                         of users of STANFINS (at the application\nDuring log-in to the ELAN, there is a banner warning users that                                                           complete or existing authorizations for\n                                                                         and network level) to determine whether\nthey are about to log on to a government workstation and that                                                             STANFINS users as follows:\n                                                                         management authorized access.\ntheir use will be monitored. This banner automatically appears                                                            DFAS-Denver:\nevery time a user accesses any DFAS workstation connected to                                                              \xe2\x80\xa2 18 STANFINS user access forms did\nELAN.                                                                                                                         not have an ELAN Account Request\n                                                                                                                              Form on file.\nELAN workstations are CAC-configured, which means that an                                                                 DFAS-Pacific:\nindividual must insert a valid CAC card into a reader slot that is                                                        \xe2\x80\xa2 Justification for STANFINS user access\nconnected to the workstation in order to log in to the network.                                                               was pre-populated on user access forms\nWhen the individual leaves the workstation, he or she must                                                                    by the TASOs and may not support\nremove the CAC card from the reader slot, which automatically                                                                 actual needs.\nlocks the workstation and prevents anyone else from accessing                                                             \xe2\x80\xa2 The functional data owner\xe2\x80\x99s signature\nthe workstation and LAN.                                                                                                      was missing from TAPS user request\n                                                                                                                              forms on two of the eight forms\n                                                                                                                              inspected.\n                                                                                                                          DFAS-Japan:\n                                                                                                                          \xe2\x80\xa2 Four out of 31 ELAN access request\n                                                                                                                              forms that users filled out in 1998 did\n\n\n\n                                                                                  93\n\x0cControl Description   Tests of Operating Effectiveness   Results of Tests of Operating Effectiveness\n                                                                 not have an approval (signature).\n                                                            \xe2\x80\xa2 Two external ELAN users had not\n                                                                 signed user agreements.\n                                                            \xe2\x80\xa2 Seven out of 53 DD 2875/DISA 41\n                                                                 forms did not contain a business reason\n                                                                 for the access request.\n                                                            \xe2\x80\xa2 One out of 53 DD 2875/DISA 41 forms\n                                                                 did not contain a business case that\n                                                                 adequately explained the reasoning for\n                                                                 the access request.\n                                                            \xe2\x80\xa2 One out of 26 DISP User Access\n                                                                 Request forms could not be found.\n                                                            \xe2\x80\xa2 Two out of 26 user access forms were\n                                                                 not signed by the TASO.\n                                                            \xe2\x80\xa2 One out of 26 user access forms did not\n                                                                 contain a supervisor signature or a\n                                                                 business case justification.\n                                                            DFAS-Rome:\n                                                            \xe2\x80\xa2 Three out of 30 user access forms did\n                                                                 not have authorization documentation\n                                                                 available.\n                                                            \xe2\x80\xa2 11 of 29 users with DISP accounts did\n                                                                 not have a DISP user access request\n                                                                 form with the appropriate approvals\n                                                                 and/or justification. Two of these users\n                                                                 had STANFINS accounts.\n                                                            DFAS-San Antonio:\n                                                            \xe2\x80\xa2 32 out of 41 LAN user access forms did\n                                                                 not have an access request form on file.\n                                                            DFAS-Seaside:\n                                                            \xe2\x80\xa2 68 of 72 access request forms did not\n                                                                 include an adequate business\n                                                                 reason/justification for the access\n                                                                 requested.\n                                                            \xe2\x80\xa2 46 of 72 access request forms had a pre-\n                                                                 populated response that included the\n                                                                 type of access the user needed, but did\n\n\n\n                                   94\n\x0cControl Description   Tests of Operating Effectiveness                 Results of Tests of Operating Effectiveness\n                                                                               not justify the access.\n                                                                          \xe2\x80\xa2 Three out of 31 internal LAN user\n                                                                               access forms did not have the functional\n                                                                               data owner\xe2\x80\x99s signature.\n                                                                          \xe2\x80\xa2 14 of 31 internal LAN user access\n                                                                               forms did not have the original user\n                                                                               access request form used to create their\n                                                                               account.\n                                                                          \xe2\x80\xa2 Four of 31 internal users\xe2\x80\x99 access request\n                                                                               forms were not signed by the\n                                                                               information security officer.\n                                                                          \xe2\x80\xa2 There was no evidence of LAN access\n                                                                               request forms or DISP user access\n                                                                               request forms being used prior to\n                                                                               February 10, 2005.\n\n                                                                       \xe2\x80\xa2   DFAS field sites did not have the technical\n                      \xe2\x80\xa2   Inquired of DFAS field site ISSOs/TASOs          knowledge to generate STANFINS and\n                          to determine whether DFAS periodically           TAPS user access lists directly from the\n                          recertified user access levels.                  security system. At eight out of ten DFAS\n                                                                           field sites (DFAS-Rome, DFAS-Denver,\n                                                                           DFAS-Lawton, DFAS-San Antonio, DFAS-\n                                                                           Columbus, DFAS-Seaside, DFAS-\n                                                                           Indianapolis and DFAS-Pacific), the\n                                                                           ISSOs/TASOs could not determine whether\n                                                                           manually derived and maintained access\n                                                                           control lists accurately reflected the user\n                                                                           population, and therefore could not\n                                                                           accurately perform user recertifications.\n\n                      \xe2\x80\xa2   Inquired of DFAS ISSOs/TASOs, as well as     \xe2\x80\xa2   At DFAS-Columbus, DFAS-Japan, DFAS-\n                          DFAS field site supervisors, and inspected       Lawton, DFAS-San Antonio, DFAS-Pacific,\n                          user access listings to TAPS/STANFINS to         DFAS-Rome and DFAS-Seaside, users had\n                          determine whether user access was                access that was not required by their job\n                          commensurate with job responsibilities.          responsibilities.\n\n\n\n                      \xe2\x80\xa2   Observed an individual user sign on to the\n\n\n                                   95\n\x0cControl Description   Tests of Operating Effectiveness                   Results of Tests of Operating Effectiveness\n                          network to determine whether the opening       \xe2\x80\xa2 No exceptions noted.\n                          screen provided a warning banner that stated\n                          the system was for authorized use only and\n                          that activity was monitored.\n\n\n\n\n                                   96\n\x0cCompleteness (CP)\n\nControls provide reasonable assurance that all authorized transactions are entered into and completely processed by the computer.\n\nControl Description                                                  Tests of Operating Effectiveness                  Results of Tests of Operating Effectiveness\nControl Activity:\nCP-1.1 Record counts and control totals.\nDFAS\nSTANFINS uses a batch control method, called \xe2\x80\x9cblocking,\xe2\x80\x9d to          \xe2\x80\xa2   Observed STANFINS batch processing to         \xe2\x80\xa2   No exceptions noted.\ndetermine whether control totals equal the sum of the details.           note whether a block total entered that\nDuring the daily production processing cycle, STANFINS                   didn\xe2\x80\x99t match the detailed transactions\nperforms batch edits for both manually entered transactions and          caused a suspended transaction. Inspected\ntransactions received through automated file loads.                      documentation to verify that these\n                                                                         suspended transactions were recorded in the\nManual Input                                                             AVK018 report..\nTransactions manually entered through TAPS are subject to\nedits applied to automated transactions submitted for processing\nduring the batch processing cycle.\n\nAutomated File Load\nTransaction files may also be loaded via FTP. Similar to the\nTAPS edits, batch edits within STANFINS include the block\ntotals. If a block total is not included in the FTP file,\nSTANFINS will generate a block and then require a user to\n\xe2\x80\x9caccept\xe2\x80\x9d the block total within TAPS. The newly generated\nblock will be reported on the Daily Preliminary Balance Report\n(AVK018).\n\nTransaction blocks identified as exceptions by batch edits are\nsuspended and reported on the Daily Preliminary Balance\nReport (AVK018). Accounting Technicians review the\nAVK018 and clear erred transactions from the suspense file by\nsubmitting a correcting transaction, called a correction card, via\nTAPS. Items remain in suspense (and on the AVK018) until\ncorrected. Blocks that do pass STANFINS batch edits are\nreported at a summary level by block in the AVK018.\n\nControl Activity:\nCP-1.3 Computer matching of transaction data.\nDFAS\n\n\n                                                                                  97\n\x0cControl Description                                                  Tests of Operating Effectiveness                  Results of Tests of Operating Effectiveness\nDuring the daily production processing cycle, STANFINS               AVK018 Report:\nperforms batch edits for both manually entered transactions and      \xe2\x80\xa2 Observed the entry of invalid alphanumeric      \xe2\x80\xa2   Of 9 DFAS Field Sites tested, DFAS-\ntransactions received through automated file loads.                      characters, incomplete fields, incorrect          Indianapolis, DFAS-Seaside, DFAS-Japan,\n                                                                         APCs, and invalid total cards. Inspected          DFAS-Lawton, DFAS-Rome, DFAS-\nManual Input                                                             documentation to determine whether errors         Columbus, DFAS-Pacific, and DFAS-San\nTransactions manually entered through TAPS are subject to                were included in the AVK018 report with           Antonio, no standard procedures were\nedits applied to automated transactions submitted for processing         appropriate coding and the report was being       maintained or enforced to ensure that errors\nduring the batch processing cycle.                                       reviewed to correct exceptions.                   were properly reconciled, authorized,\n                                                                                                                           corrected, and documented.\nAutomated File Load\nSimilar to the TAPS edits, batch edits within STANFINS                                                                 \xe2\x80\xa2   DFAS-Denver, DFAS-Pacific, DFAS-\ninclude:                                                                                                                   Rome, DFAS-Seaside, DFAS-Indianapolis,\n                                                                                                                           DFAS-Columbus. DFAS-Japan, DFAS-San\n\xe2\x80\xa2 Alphanumeric checks;                                                                                                     Antonio and DFAS-Lawton did not\n\xe2\x80\xa2 Checks to determine whether required fields are populated                                                                maintain documented evidence/signatures or\n   such as Obligation Data Code, APC, and Fiscal Year;                                                                     note who performed the corrections and\n\xe2\x80\xa2 Master file validations including data element relationship                                                              whether the correction was appropriate..\n   edits such as APC and Fiscal Year; and\n                                                                     AVK087 Report:\n\xe2\x80\xa2 Reconciliation of control totals to detail transaction totals\n   (see control objective AC-10 for further information).            \xe2\x80\xa2  Inquired of Systems Office Support             \xe2\x80\xa2   The design of the control was ineffective in\n                                                                        management to determine if STANFINS                that the AVK-087 report was not\nTransaction blocks identified as exceptions by batch edits are          automatically identified any abnormal              cumulative. Abnormal accounting\nsuspended and reported on the Daily Preliminary Balance                 accounting issues, such as NULOs                   situations were reported only once;\nReport (AVK018). Accounting Technicians review the                      (disbursements exceeding obligations),             therefore, after the following day, the report\nAVK018 and clear erred transactions from the suspense file by           disbursements without obligations, accruals        did not identify that the abnormal\nsubmitting a correcting transaction, called a correction card, via      without obligations, accruals exceeding            accounting situation existed. No test of\nTAPS. Items remain in suspense (and on the AVK018) until                obligations, and negative obligation               operating effectiveness was performed,\ncorrected. Blocks that do pass STANFINS batch edits are                 amounts. Inspected the resulting exception         since the report could not be sampled.\nreported at a summary level by block in the AVK018.                     report, AVK087, and determined whether\n                                                                        exceptions were properly identified.\nAdditionally, STANFINS generates other reports to identify\naccounting issues. The accounting issues include, but are not        AVK024 Report:\nlimited to, Negative Unliquidated Obligations (reported in the       \xe2\x80\xa2  Inquired with DNO management to                \xe2\x80\xa2   No exceptions noted.\nAVK087 report), Obligations (NULOs) without an Accrual                  determine how STANFINS determines if\n(AVK087), Credit Receivables (AVK024), and Over-                        credit receivables were assigned to\nobligations (AVK030 and AVK051). Accounting Technicians                 customers and if over earnings (exceeding\nreview these reports and work with the Program Directors to             the ceiling amount set for on the Military\ntake corrective action, when applicable.                                Interdepartmental Purchase Request\n                                                                        (MIPR)) were assigned to customers.\n\n\n                                                                                  98\n\x0cControl Description                                            Tests of Operating Effectiveness                  Results of Tests of Operating Effectiveness\n\n                                                               \xe2\x80\xa2   Observed the processing of a credit\n                                                                   receivable and an over earnings within        \xe2\x80\xa2   DFAS-San Antonio, DFAS-Denver and\n                                                                   STANFINS to determine whether the                 DFAS-Rome of the three DFAS field sites\n                                                                   AVK024 identified the transaction.                tested did not have documented procedures\n                                                                                                                     for identifying and resolving credit unfilled\n                                                                                                                     orders or credit receivables.\n\n                                                                                                                 \xe2\x80\xa2   The 2 DFAS field sites who use the\n                                                                                                                     STANFINS AVK024, DFAS-Rome and\n                                                                                                                     DFAS-Denver, did not maintain evidence\n                                                                                                                     that documented the authorization and\n                                                                                                                     correction of each corrected credit\n                                                                                                                     receivables or credit unfilled orders\n                                                                                                                     transaction. .\n                                                               AVK030 and AVK051 Report:\n                                                                 \xe2\x80\xa2 Observed the processing of a transaction\n                                                                   that caused an over obligation. Inspected     \xe2\x80\xa2   No exceptions noted.\n                                                                   the appropriate AVK report to determine\n                                                                   whether the report correctly identified the\n                                                                   accounting issue.\nControl Activity:\nCP-1.4 Checking reports for transaction data.\nDFAS\nAccounting Technicians review numerous reports to verify       AVK003 Report:\ntransactions and master file additions/changes processed       \xe2\x80\xa2 Observed the entry of a new APC and             \xe2\x80\xa2   No exceptions noted.\nsuccessfully. Key reports identified include the AVK018 and       inspected the AVK003 to determine whether\nthe AVK003. Blocks that pass STANFINS batch edits are             the APC was included on the report.\nreported at a summary level by block in the AVK018. The\nAccounting Technicians review the block totals on the AVK018   AVK018 Report:\nto ensure transactions processed accurately. The AVK003        \xe2\x80\xa2  Observed the entry of invalid alphanumeric     \xe2\x80\xa2   Of 9 DFAS Field Sites tested, DFAS-\n(Master Update Listing) is reviewed to identify additions,        characters, incomplete fields, incorrect           Indianapolis, DFAS-Seaside, DFAS-Japan,\nchanges, and deletions to the master file.                        APCs, and invalid total cards. Inspected           DFAS-Lawton, DFAS-Rome, DFAS-\n                                                                  documentation to determine whether the             Columbus, DFAS-Pacific, and DFAS-San\n                                                                  error was included in the AVK018 report            Antonio, no standard procedures were\n                                                                  with appropriate coding and the report was         maintained or enforced to ensure that errors\n                                                                  being reviewed to correct exceptions               were properly reconciled, authorized,\n                                                                                                                     corrected, and documented.\n\n\n\n                                                                            99\n\x0cControl Description                                                   Tests of Operating Effectiveness         Results of Tests of Operating Effectiveness\n\n                                                                                                               \xe2\x80\xa2   DFAS-Denver, DFAS-Pacific, DFAS-\n                                                                                                                   Rome, DFAS-Seaside, DFAS-Indianapolis,\n                                                                                                                   DFAS-Columbus. DFAS-Japan, DFAS-San\n                                                                                                                   Antonio and DFAS-Lawton did not\n                                                                                                                   maintain documented evidence/signatures or\n                                                                                                                   note who performed the corrections and\n                                                                                                                   whether the correction was appropriate..\nControl Activity:\nCP-2.1 Reconciliations show the completeness of data processed at points in the processing cycle.\nDFAS\nDFAS uses a manual method of batching, called \xe2\x80\x9cblocking,\xe2\x80\x9d to     \xe2\x80\xa2 Inspected BCLs to determine whether they    \xe2\x80\xa2   Of 5 DFAS field sites tested, DFAS-San\nhelp ensure transactions are entered accurately. This manual       were reconciled to STANFINS batch control       Antonio and DFAS-Indianapolis did not\nmethod involves block tickets and block control logs (BCL). A      data.                                           have documented standard procedures to\nblock ticket is a DFAS-generated input document. The BCL is                                                        address reconciliation of BCLs.\na manually maintained log that tracks all the blocks. Various\nDFAS field site divisions/branches and individual users within a                                               \xe2\x80\xa2   None of the DFAS field sites tested\nbranch employ different procedures with respect to the block                                                       performed/maintained documentation of\ntickets and BCL. In general, the control department or receiver                                                    reconciliations of summary dollar amounts\nreceives the transmittal letters and other source documentation                                                    and/or block totals on the block ticket to\nvia phone, fax, or e-mail. The receiver then creates a block                                                       summary data within STANFINS.\nticket and assigns a block number and records it on the BCL.\nThe Accounting Technician then inputs the transaction into\nTAPS. The block ticket itself has a space for the verification\nalong with a date. Initialing and dating this area indicates the\ninput technician has visually compared the amount on the block\nticket to the block total on the screen to help ensure accuracy.\n\nAdditionally, some DFAS field site block tickets have a section\nto track when the block cleared the DPBL (Daily Preliminary\nBalance Report, also known as the AVK018 report). By\ninitialing and dating the section, the user successfully traced the\ntransaction from the block ticket to the AVK018 report, thus\nindicating that the transaction processed successfully.\n\n\n\n\n                                                                                  100\n\x0cAccuracy (AY)\n\nControls provide reasonable assurance that transactions processed by the system maintain validity and accuracy throughout processing.\n\nControl Description                                               Tests of Operating Effectiveness                  Results of Tests of Operating Effectiveness\nControl Activity:\nAY-1.3 Key verification increases the accuracy of significant data fields.\nDFAS\nDFAS uses a manual method of batching, called \xe2\x80\x9cblocking,\xe2\x80\x9d to \xe2\x80\xa2 Inspected BCLs to determine whether they             \xe2\x80\xa2   Of 5 DFAS field sites tested, DFAS-San\nhelp ensure transactions are entered accurately. This manual          contain the appropriate data and were             Antonio and DFAS-Indianapolis did not\nmethod involves block tickets and BCL. A block ticket is a            reconciled to STANFINS batch control data.        have documented standard procedures to\nDFAS-generated input document. The BCL is a manually                                                                    address reconciliation of BCLs.\nmaintained log that tracks all the blocks. Various DFAS field\nsite divisions/branches and individual users within a branch                                                        \xe2\x80\xa2   None of the DFAS field sites tested\nemploy different procedures with respect to the block tickets                                                           performed/maintained documentation of\nand BCL. In general, the control department or receiver                                                                 reconciliations of summary dollar amounts\nreceives the transmittal letters and other source documentation                                                         and/or block totals on the block ticket to\nvia phone, fax, mail, electronic file, or e-mail. The receiver                                                          summary data within STANFINS.\nthen creates a block ticket and assigns a block number and\nrecords it on the BCL. The Accounting Technician then inputs\nthe transaction into TAPS. The block ticket itself has a space\nfor \xe2\x80\x9cinput by\xe2\x80\x9d along with a date. Initialing and dating this area AVK087 Report:\nindicates the input technician has visually compared the          \xe2\x80\xa2 Inquired of Systems Office Support              \xe2\x80\xa2   The design of the control for the AVK087\namount on the block ticket to the block total on the screen to        management to determine whether                   Report was ineffective in that the report was\nhelp ensure accuracy.                                                 STANFINS automatically identifies any             not cumulative. Abnormal accounting\n                                                                      abnormal accounting issues, such as NULOs         situations are reported only once; therefore,\nDepending on the user or division, there are various standards        (disbursements exceeding obligations),            after the following day, the report did not\nfollowed and levels of detail maintained on the BCL and block         disbursements without obligations, accruals       identify that the abnormal accounting\nticket. For example, some divisions use a Microsoft Access            without obligations, accruals exceeding           situation existed. No test of operating\ndatabase to track blocks while others use a manually                  obligations, and negative obligation              effectiveness was performed, since the\nmaintained BCL. Some divisions/users keep evidence of their           amounts. Inspected the resulting exception        report could not be sampled.\nreview of the block summary indicated in the screen and others        report, AVK087, to determine whether\ndo not. Some divisions/users have different standards or              exceptions were properly identified.\ndefinitions for the purpose of each of the fields on the block\nticket and BCL. In some instances, the \xe2\x80\x9cinput by\xe2\x80\x9d space on the AVK024 Report:\nblock ticket indicates the input technician has visually                                                            \xe2\x80\xa2   No exceptions noted.\n                                                                  \xe2\x80\xa2 Inquired with DNO management to\ncompared the amount on the block ticket to the block total on\n                                                                      determine how STANFINS determined if\nthe screen. In other instances, the \xe2\x80\x9cinput by\xe2\x80\x9d space on the\n                                                                      credit receivables were assigned to\nblock ticket only indicates the input technician entered the\n                                                                      customers and if over earnings (exceeding\ntransaction; not that the block total matched what had been\n\n\n\n                                                                              101\n\x0cControl Description                                                   Tests of Operating Effectiveness                 Results of Tests of Operating Effectiveness\nexpected.                                                                 the ceiling amount set for on the Military\n                                                                          Interdepartmental Purchase Request\nAdditionally, some DFAS field site block tickets have a section           (MIPR)) were assigned to customers.\nto track when the block cleared the DPBL (Daily Preliminary\nBalance Report, also known as the AVK018 report). By                  \xe2\x80\xa2   Observed the processing of a credit          \xe2\x80\xa2   DFAS-San Antonio, DFAS-Denver and\ninitialing and dating the section, the user successfully traced the       receivable and an over earnings within           DFAS-Rome of the three DFAS field sites\ntransaction from the block ticket to the AVK018 report, thus              STANFINS to determine whether the                tested did not have documented procedures\nindicating that the transaction processed successfully.                   AVK024 identified the transaction.               for identifying and resolving credit unfilled\n                                                                                                                           orders or credit receivables.\nAlso, TAPS and STANFINS have additional edit checks to\nhelp determine the accuracy of significant data.                                                                       \xe2\x80\xa2   The 2 DFAS field sites who use the\n                                                                                                                           STANFINS AVK024, DFAS-Rome and\nManual Input                                                                                                               DFAS-Denver, did not maintain evidence\nTransactions manually entered through TAPS are subject to                                                                  that documented the authorization and\nedits applied to automated transactions submitted for                                                                      correction of each corrected credit\nprocessing during the batch processing cycle.                                                                              receivables or credit unfilled orders\n                                                                                                                           transaction.\nAutomated File Load\nDuring the daily production processing cycle, STANFINS                AVK030 and AVK051 Report:                        \xe2\x80\xa2   No exceptions noted.\nperforms batch edits for manually entered transactions and            \xe2\x80\xa2  Observed the processing of a transaction\ntransactions received through automated file loads. Similar to           that caused an over obligation. Inspected\nthe TAPS edits, batch edits in STANFINS include:                         the appropriate AVK report to determine\n                                                                         whether the report correctly identified the\n\xe2\x80\xa2    Alphanumeric checks;                                                accounting issue.\n\xe2\x80\xa2   Checks to determine whether required fields are populated\n    such as Obligation Data Code, APC, and Fiscal Year;\n\xe2\x80\xa2   Master file validations including data element relationship\n    edits such as APC and Fiscal Year; and\n\xe2\x80\xa2   Reconciliation of control totals to detail transaction totals\n    (see control objective AC-10 for further information).\n\nTransaction blocks identified as exceptions by batch edits are\nsuspended and reported on the Daily Preliminary Balance\nReport (AVK018). Accounting Technicians review the\nAVK018 and clear erred transactions from the suspense file by\nsubmitting a correcting transaction, called a correction card, via\nTAPS. Items remain in suspense within STANFINS (and on\nthe AVK018).\n\n\n\n                                                                                   102\n\x0cControl Description                                        Tests of Operating Effectiveness                           Results of Tests of Operating Effectiveness\nControl Activity:\nAY-2.1 Programmed validation and edit checks identify erroneous data.\nDFAS\n\nManual Input                                                         AVK018 Report:\nTransactions manually entered through TAPS are subject to            \xe2\x80\xa2 Observed the entry of invalid alphanumeric     \xe2\x80\xa2   Of 9 DFAS Field Sites tested, DFAS-\nedits applied to automated transactions submitted for                   characters, incomplete fields, incorrect          Indianapolis, DFAS-Seaside, DFAS-Japan,\nprocessing during the batch processing cycle, as described in           APCs, and invalid total cards. Inspected          DFAS-Lawton, DFAS-Rome, DFAS-\nthe section below.                                                      documentation to determine whether the            Columbus, DFAS-Pacific, and DFAS-San\n                                                                        errors were included in the AVK018 report         Antonio, no standard procedures were\nAutomated File Load                                                     with appropriate coding and the report was        maintained or enforced to ensure that errors\nDuring the daily production processing cycle, STANFINS                  being reviewed to correct exceptions.             were properly reconciled, authorized,\nperforms batch edits for manually entered transactions and                                                                corrected, and documented.\ntransactions received through automated file loads. Similar to\nthe TAPS edits, batch edits in STANFINS include:                                                                      \xe2\x80\xa2   DFAS-Denver, DFAS-Pacific, DFAS-\n                                                                                                                          Rome, DFAS-Seaside, DFAS-Indianapolis,\n\xe2\x80\xa2    Alphanumeric checks;                                                                                                 DFAS-Columbus. DFAS-Japan, DFAS-San\n\xe2\x80\xa2   Checks to determine whether required fields are populated                                                             Antonio and DFAS-Lawton did not\n    such as Obligation Data Code, APC, and Fiscal Year;                                                                   maintain documented evidence/signatures or\n\xe2\x80\xa2   Master file validations including data element relationship                                                           note who performed the corrections and\n    edits such as APC and Fiscal Year; and                                                                                whether the correction was appropriate..\n                                                                     AVK087 Report:\n\xe2\x80\xa2   Reconciliation of control totals to detail transaction totals\n    (see control objective AC-10 for further information).           \xe2\x80\xa2  Inquired of Systems Office Support            \xe2\x80\xa2   The design of the control for the AVK087\n                                                                        management to determine if STANFINS               Report was ineffective in that the report was\nTransaction blocks identified as exceptions by batch edits are          automatically identified any abnormal             not cumulative. Abnormal accounting\nsuspended and reported on the Daily Preliminary Balance                 accounting issues, such as NULOs                  situations are reported only once; therefore,\nReport (AVK018). Accounting Technicians review the                      (disbursements exceeding obligations),            after the following day, the report did not\nAVK018 and clear erred transactions from the suspense file by           disbursements without obligations, accruals       identify that the abnormal accounting\nsubmitting a correcting transaction, called a correction card, via      without obligations, accruals exceeding           situation existed. No test of operating\nTAPS. Items remain in suspense (and on the AVK018) until                obligations, and negative obligation              effectiveness was performed, since the\ncorrected. Blocks that do pass STANFINS batch edits are                 amounts. Inspected the resulting exception        report could not be sampled.\nreported at a summary level by block in the AVK018.                     report, AVK087, and to determine whether\n                                                                        exceptions were properly identified.\nAdditionally, STANFINS generates other reports to identify\naccounting issues. The accounting issues include, but are not        AVK024 Report:\nlimited to, Negative Unliquidated Obligations (AVK087),              \xe2\x80\xa2  Inquired with DNO management to               \xe2\x80\xa2   No exceptions noted.\nObligations without an Accrual (AVK087), Credit Receivables             determine how STANFINS determines if\n(AVK024), and Over-obligations (AVK030 and AVK051).                     credit receivables were assigned to\n                                                                        customers and if over earnings (exceeding\n\n\n                                                                                 103\n\x0cControl Description                                             Tests of Operating Effectiveness                 Results of Tests of Operating Effectiveness\nAccounting Technicians review these reports and work with the       the ceiling amount set for on the Military\nProgram Directors to take corrective action, when applicable.       Interdepartmental Purchase Request\n                                                                    (MIPR)) were assigned to customers.\n\n                                                                \xe2\x80\xa2   Observed the processing of a credit\n                                                                    receivable and an over earnings in           \xe2\x80\xa2   DFAS-San Antonio, DFAS-Denver and\n                                                                    STANFINS to determine whether the                DFAS-Rome of the three DFAS field sites\n                                                                    AVK024 identified the transaction.               tested did not have documented procedures\n                                                                                                                     for identifying and resolving credit unfilled\n                                                                                                                     orders or credit receivables.\n\n                                                                                                                 \xe2\x80\xa2   The 2 DFAS field sites who use the\n                                                                                                                     STANFINS AVK024, DFAS-Rome and\n                                                                                                                     DFAS-Denver, did not maintain evidence\n                                                                                                                     that documented the authorization and\n                                                                                                                     correction of each corrected credit\n                                                                                                                     receivables or credit unfilled orders\n                                                                AVK030 and AVK051 Report:                            transaction.\n                                                                \xe2\x80\xa2 Observed the processing of a transaction\n                                                                   that caused an over obligation. Inspected     \xe2\x80\xa2   No exceptions noted.\n                                                                   the appropriate AVK report to determine\n                                                                   whether the report correctly identified the\n                                                                   accounting issue.\n\n\n\n\n                                                                             104\n\x0cControl Description                                           Tests of Operating Effectiveness                         Results of Tests of Operating Effectiveness\nControl Activity:\nAY-2.3 Overriding or bypassing data validation and editing is restricted.\nDFAS\n\nManual Input                                                         AVK018 Report:\nShould an Accounting Technician manually enter a transaction         \xe2\x80\xa2 Observed the entry of invalid alphanumeric      \xe2\x80\xa2   Of 9 DFAS Field Sites tested, DFAS-\nthat TAPS edits identify as an exception, a warning message             characters, incomplete fields, incorrect           Indianapolis, DFAS-Seaside, DFAS-Japan,\nappears on the screen. During the TAPS edit process, users              APCs, and invalid total cards. Inspected           DFAS-Lawton, DFAS-Rome, DFAS-\nhave the option to correct the transaction at this point.               documentation to verify the inclusion in the       Columbus, DFAS-Pacific, and DFAS-San\nAdditionally, users have the ability to bypass the warning              AVK018 report with appropriate error               Antonio, no standard procedures were\nmessage, thus allowing the transaction to continue processing.          coding. Verified that report was being             maintained or enforced to ensure that errors\n                                                                        reviewed to correct exceptions.                    were properly reconciled, authorized,\nTransactions bypassed in TAPS and submitted for continued                                                                  corrected, and documented.\nprocessing are subject to batch cycle edit checks.\n                                                                                                                       \xe2\x80\xa2   DFAS-Denver, DFAS-Pacific, DFAS-\nDuring the daily production processing cycle, STANFINS                                                                     Rome, DFAS-Seaside, DFAS-Indianapolis,\nperforms batch edits for manually entered transactions and                                                                 DFAS-Columbus. DFAS-Japan, DFAS-San\ntransactions received through automated file loads. Similar to                                                             Antonio and DFAS-Lawton did not\nthe TAPS edits, batch edits in STANFINS include:                                                                           maintain documented evidence/signatures or\n                                                                                                                           note who performed the corrections and\n\xe2\x80\xa2   Alphanumeric checks;                                                                                                   whether the correction was appropriate..\n\xe2\x80\xa2   Checks to determine whether required fields are populated\n    such as Obligation Data Code, APC, and Fiscal Year;              AVK087 Report:\n\xe2\x80\xa2   Master file validations including data element relationship      \xe2\x80\xa2  Inquired of Systems Office Support             \xe2\x80\xa2   The design of the control was ineffective in\n    edits such as APC and Fiscal Year; and                              management to determine if STANFINS                that the AVK087 Report was not cumulative.\n\xe2\x80\xa2   Reconciliation of control totals to detail transaction totals       automatically identified any abnormal              Abnormal accounting situations were\n    (see control objective AC-10 for further information).              accounting issues, such as NULOs                   reported only once; therefore, after the\n                                                                        (disbursements exceeding obligations),             following day, the report did not identify\nTransaction blocks identified as exceptions by batch edits are          disbursements without obligations, accruals        that the abnormal accounting situation\nsuspended and reported on the Daily Preliminary Balance                 without obligations, accruals exceeding            existed. No test of operating effectiveness\nReport (AVK018). Accounting Technicians review the                      obligations, and negative obligation               was performed, since the report could not be\nAVK018 and clear erred transactions from the suspense file by           amounts. Inspected the resulting exception         sampled.\nsubmitting a correcting transaction, called a correction card, via      report, AVK087 to determine whether\nTAPS. Items remain in suspense (and on the AVK018) until                exceptions were properly identified.\ncorrected. Blocks that do pass STANFINS batch edits are\nreported at a summary level by block in the AVK018.\n                                                                     AVK024 Report:\n                                                                     \xe2\x80\xa2 Inquiry with DNO management to                  \xe2\x80\xa2   No exceptions noted.\n                                                                        determine how STANFINS identified that\n\n\n                                                                                 105\n\x0cControl Description                                           Tests of Operating Effectiveness                 Results of Tests of Operating Effectiveness\n                                                                  credit receivables were assigned to\n                                                                  customers and if over earnings (exceeding\n                                                                  the ceiling amount set for on the MIPR)\n                                                                  were assigned to customers.\n\n                                                              \xe2\x80\xa2   Observed the processing of a credit          \xe2\x80\xa2   DFAS-San Antonio, DFAS-Denver and\n                                                                  receivable and an over earnings in               DFAS-Rome of the three DFAS field sites\n                                                                  STANFINS to determine whether the                tested did not have documented procedures\n                                                                  AVK024 identified the transaction.               for identifying and resolving credit unfilled\n                                                                                                                   orders or credit receivables.\n\n                                                                                                               \xe2\x80\xa2   The 2 DFAS field sites who use the\n                                                                                                                   STANFINS AVK024, DFAS-Rome and\n                                                                                                                   DFAS-Denver, did not maintain evidence\n                                                                                                                   that documented the authorization and\n                                                                                                                   correction of each corrected credit\n                                                                                                                   receivables or credit unfilled orders\n                                                                                                                   transaction.\n                                                              AVK030 and AVK051 Report:\n                                                              \xe2\x80\xa2  Observed the processing of a transaction      \xe2\x80\xa2   No exceptions noted.\n                                                                 that caused an over obligation. Inspected\n                                                                 the appropriate AVK report to determine\n                                                                 whether the report correctly identified the\n                                                                 accounting issue.\nControl Activity:\nAY-3.1 Rejected transactions are controlled with an automated error suspense file.\nDFAS\nSTANFINS maintains a suspense file, EXGAVK. The             AVK018 Report:\nprogram that generates the suspended transaction report,    \xe2\x80\xa2 Observed the entry of invalid alphanumeric       \xe2\x80\xa2   Of 9 DFAS Field Sites tested, DFAS-\nAVK018, is called PBKAVK. A control group is responsible         characters, incomplete fields, incorrect          Indianapolis, DFAS-Seaside, DFAS-Japan,\nfor controlling and monitoring the rejected transactions.        APCs, and invalid total cards. Inspected          DFAS-Lawton, DFAS-Rome, DFAS-\nSuspended blocks remain in suspense and on the report until      documentation to determine whether errors         Columbus, DFAS-Pacific, and DFAS-San\ncorrected or released (deleted).                                 were included the AVK018 report with              Antonio, no standard procedures were\n                                                                 appropriate coding and the report was being       maintained or enforced to ensure that errors\nAdditionally, the Accounting Technician responsible for the      reviewed to correct exceptions.                   were properly reconciled, authorized,\nAVK018 corrections researches the error and makes the                                                              corrected, and documented.\ncorrections via TAPS. In most instances, the AVK018 and\nrelated backup documentation is kept for one year.\n\n\n\n                                                                           106\n\x0cControl Description                                            Tests of Operating Effectiveness                 Results of Tests of Operating Effectiveness\n                                                                                                                \xe2\x80\xa2 DFAS-Denver, DFAS-Pacific, DFAS-\n                                                                                                                   Rome, DFAS-Seaside, DFAS-Indianapolis,\n                                                                                                                   DFAS-Columbus. DFAS-Japan, DFAS-San\n                                                                                                                   Antonio and DFAS-Lawton did not\n                                                                                                                   maintain documented evidence/signatures or\n                                                                                                                   note who performed the corrections and\n                                                                                                                   whether the correction was appropriate..\nControl Activity:\nAY-3.2 Erroneous data are reported back to the user department for investigation and correction.\nDFAS\nThe Accounting Technician responsible for the AVK018           AVK018 Report:                                   \xe2\x80\xa2   Of 9 DFAS Field Sites tested, DFAS-\ncorrections researches the error and makes the corrections via \xe2\x80\xa2 Observed the entry of invalid alphanumeric         Indianapolis, DFAS-Seaside, DFAS-Japan,\nTAPS. In most instances, the AVK018 and related backup            characters, incomplete fields, incorrect          DFAS-Lawton, DFAS-Rome, DFAS-\ndocumentation is kept for one year.                               APCs, and invalid total cards. Inspected          Columbus, DFAS-Pacific, and DFAS-San\n                                                                  documentation to determine whether errors         Antonio, no standard procedures were\n                                                                  were included the AVK018 report with              maintained or enforced to ensure that errors\n                                                                  appropriate coding and the report was being       were properly reconciled, authorized,\n                                                                  reviewed to correct exceptions.                   corrected, and documented.\n\n                                                                                                                \xe2\x80\xa2   DFAS-Denver, DFAS-Pacific, DFAS-\n                                                                                                                    Rome, DFAS-Seaside, DFAS-Indianapolis,\n                                                                                                                    DFAS-Columbus. DFAS-Japan, DFAS-San\n                                                                                                                    Antonio and DFAS-Lawton did not\n                                                                                                                    maintain documented evidence/signatures or\n                                                                                                                    note who performed the corrections and\n                                                                                                                    whether the correction was appropriate..\n\n\n\n\n                                                                           107\n\x0cControl Description                                              Tests of Operating Effectiveness                  Results of Tests of Operating Effectiveness\nControl Activity:\nAY-4.2 Reports showing the results of processing are reviewed by users.\nDFAS\nAccounting Technicians review numerous reports to verify         AVK018 Report:                                    \xe2\x80\xa2   Of 9 DFAS Field Sites tested, DFAS-\nprocessing results. Key reports identified include: AVK003,      \xe2\x80\xa2 Observed the entry of invalid alphanumeric          Indianapolis, DFAS-Seaside, DFAS-Japan,\nAVK006, and AVK018. The AVK003 (Master Update                        characters, incomplete fields, incorrect          DFAS-Lawton, DFAS-Rome, DFAS-\nListing) is reviewed to identify additions, changes, and             APCs, and invalid total cards. Inspected          Columbus, DFAS-Pacific, and DFAS-San\ndeletions to the master files. The AVK006 (Master Update             documentation to determine whether errors         Antonio, no standard procedures were\nError Report) is reviewed to identify lines that did not process     were included the AVK018 report with              maintained or enforced to ensure that errors\nto the master files along with respective error codes. As            appropriate coding and the report was being       were properly reconciled, authorized,\ndocumented in AY 3.1, the AVK018 (Daily Preliminary                  reviewed to correct exceptions.                   corrected, and documented.\nBalance) is reviewed to ensure transactions processed\naccurately.\n\n                                                                \xe2\x80\xa2    Inquired of management to obtain an           \xe2\x80\xa2   DFAS-Denver, DFAS-Pacific, DFAS-\n                                                                     understanding of the procedures to review         Rome, DFAS-Seaside, DFAS-Indianapolis,\n                                                                     the AVK006 report, research the errors,           DFAS-Columbus. DFAS-Japan, DFAS-San\n                                                                     make associated corrections, and document,        Antonio and DFAS-Lawton did not\n                                                                     where appropriate, resolution of the error        maintain documented evidence/signatures or\n                                                                     and authorizations.                               note who performed the corrections and\n                                                                                                                       whether the correction was appropriate..\n\n\n                                                                                                                   \xe2\x80\xa2   DFAS-Rome, DFAS-Japan, DFAS-\n                                                                                                                       Columbus, DFAS-Denver, DFAS-Orlando\n                                                                                                                       and DFAS-San Antonio maintained limited\n                                                                                                                       or no evidence regarding the review, input,\n                                                                                                                       and resolution of the errors.\n\n                                                                                                                   \xe2\x80\xa2   DFAS-Seaside, DFAS-Japan, DFAS-\n                                                                                                                       Columbus, DFAS-Denver, DFAS-Orlando,\n                                                                                                                       DFAS-San Antonio did not maintain a\n                                                                                                                       policy or standard operating procedure\n                                                                                                                       documenting the evidence requirements\n                                                                                                                       supporting the correction for errors within\n                                                                                                                       the AVK006 report.\n\n\n\n\n                                                                             108\n\x0cIntegrity (IN)\n\nControls provide reasonable assurance that production processing uses the current version of software and data, that transactions are secured from\nunauthorized modification, and that concurrent updates of files are not allowed.\n\nControl Description                                             Tests of Operating Effectiveness                    Results of Tests of Operating Effectiveness\nControl Activity:\nProduction scheduling is monitored for program failures due to corrupted or missing input files.\nCommon Controls4\nControl-M records the data and time, user ID and disposition    \xe2\x80\xa2 Inquired of IT Supervisor and Specialist and      \xe2\x80\xa2   At the DOIM located in Denver, personnel\ncode, and job execution message regarding the completion of         inspected the settings page to determine the        were unaware of automated logging features\nproduction jobs to audit trails.                                    settings applied for recording of audit             in Control-M, stating there was no\n                                                                    records in SysLog.                                  automated audit logging process for\nColor-coding facilitates the identification of erred production                                                         STANFINS job scheduling and processing.\njobs. Audit trails are generated real-time during the execution \xe2\x80\xa2 Inspected a screen print of the Control-M\nof the production schedule and are available for review after-      History log to determine whether audit trails   \xe2\x80\xa2   At the DOIM located in Denver, the audit\nthe-fact.                                                           of production schedule/job completion was           trails for production job scheduling were not\n                                                                    documented.                                         documented.\nControl-M produces a log that identifies that a schedule change\nhas been made and the user ID of the individual who made the\nchange. Control-M has the ability to filter data to identify\ndeleted schedules and the user who performed the deletion.\nDISA\nDISA DECC-St. Louis and DISA DECC-Mechanicsburg share \xe2\x80\xa2 Inquired with TSB personnel to determine                    \xe2\x80\xa2   No exceptions noted.\nresponsibility for monitoring of production processing with         whether a process for identifying,\nDFAS. When an operator at DECC identifies an abnormal job           documenting, and tracking production\ntermination ABEND, he/she creates a REMEDY system ticket            schedule deviations was developed.\nand contacts an appropriate DFAS point of contact (POC) for\nresolution. Contact lists/escalation procedures document POCs\nto be called in the event of unresolved ABEND. DISA DECC        \xe2\x80\xa2 Inspected the listing of appropriate DFAS         \xe2\x80\xa2   No exceptions noted.\nmaintains historical REMEDY tickets as a resource for               points of contact to determine if contact\nidentifying and resolving production-processing problems.           information was documented.\nOnce DFAS is alerted of the issue, DFAS is responsible for\nidentifying a method of resolution and ensuring the problem is\n                                                                \xe2\x80\xa2 For production issues since July 2004,            \xe2\x80\xa2   No exceptions noted.\nresolved.\n                                                                    inspected the corresponding REMEDY\n                                                                    tickets to determine if they were tracked to\n\n\n\n4   Common controls are those controls that a DoD organization other than DISA or DFAS implements, and are commonly applied across both DISA and DFAS.\n\n\n                                                                              109\n\x0cControl Description                                               Tests of Operating Effectiveness                   Results of Tests of Operating Effectiveness\n                                                                      completion.\nDFAS\nDISA DECC-St. Louis and DISA DECC-Mechanicsburg share             \xe2\x80\xa2   Inquired with Computer/EDP Specialist to       \xe2\x80\xa2   At the DOIM site located in Denver,\nresponsibility for monitoring of production processing with           determine whether a process for identifying,       \xe2\x80\xa2 Denver DOIM Management did not\nDFAS.                                                                 documenting, and tracking production                   develop and implement Control-M\n                                                                      schedule deviations was developed.                     standards and procedures to aid\nOnce DFAS is alerted of the issue, DFAS is responsible for            Inspected procedures to determine whether              personnel in the use of this application.\nidentifying a method of resolution and ensuring the problem is        the process was documented and whether a           \xe2\x80\xa2 The process for documenting the job\nresolved.                                                             point of contact list was available for                schedule changes and any issues during\n                                                                      reference when problem escalation was                  processing was informal. As a result,\nSome DOIM sites have standard operating procedures to                 necessary.                                             no documentation existed for these\naddress production job ABENDS and escalation procedures.\n                                                                                                                             processes.\nProcessing is monitored real-time and any issues are\nimmediately identified and addressed. When a job encounters                                                              \xe2\x80\xa2 A description of STANFINS production\nan ABEND, the screen turns red and processing stops until it is                                                              jobs, description of ABEND codes, and\ncorrected and restarted by an operator.                                                                                      escalation, recovery, and restart\n                                                                                                                             procedures was not documented.\nEscalation procedures provide detailed instruction on handling    \xe2\x80\xa2   Inspected procedures used for production\n                                                                                                                     \xe2\x80\xa2   At the DOIM site located in Denver,\nABENDS and identify points of contact.                                processing and documentation used to track\n                                                                      deviations from the predefined production-         \xe2\x80\xa2 Denver DOIM Management did not\nIn some cases, Internal Trouble Reports are created when              processing schedule.                                   develop and implement Control-M\nSTANFINS processing ABENDS. When an Internal Trouble                                                                         standards and procedures to aid\nReport is created, an approval must accompany the change                                                                     personnel in the use of this application.\nmade to fix the processing issue.                                                                                        \xe2\x80\xa2 The process for documenting the job\n                                                                                                                             schedule changes and any issues during\n                                                                                                                             processing was informal. As a result,\n                                                                                                                             no documentation existed for these\n                                                                                                                             processes.\n                                                                                                                         \xe2\x80\xa2 A description of STANFINS production\n                                                                                                                             jobs, description of ABEND codes, and\n                                                                                                                             escalation, recovery and restart\n                                                                                                                             procedures was not documented.\n\n                                                                  \xe2\x80\xa2   For production issues since July 2004,         \xe2\x80\xa2   No exceptions noted.\n                                                                      inspected the corresponding REMEDY\n                                                                      tickets to determine if they were tracked to\n                                                                      completion\nControl Activity:\nA program change/confirmation management process is in place that includes testing changes prior to their introduction to the production environment.\n\n\n                                                                               110\n\x0cControl Description                                                Tests of Operating Effectiveness                Results of Tests of Operating Effectiveness\nDISA\nDISA DECC-St. Louis uses change request templates for              \xe2\x80\xa2   Inquired of the DISA DECC-St. Louis TSB     \xe2\x80\xa2   DISA did not develop system software\nsystem software changes. The CCB Instructions to be                    Chief regarding procedures for making           change management procedures detailing\nFollowed for Preparation of CCP requires the following details         changes to system software supporting           specific DECC roles, responsibilities, and\nfor changes: major project/goal, change description, scope of          STANFINS.                                       procedures regarding identification of\nchange, domains affected, back-out procedures, downtime, and                                                           system software problems, testing of\nspecial instructions.                                                                                                  changes, impact analyses, approvals,\n                                                                                                                       implementation and verification, and\nSSO Mechanicsburg is responsible for building, testing, and                                                            documentation requirements.\ndistributing implementation-ready Mainframe Executive\nSoftware Suites for all test and production LPARs. This            \xe2\x80\xa2   Inspected system software change logs to    \xe2\x80\xa2   No audit log was created for the use of\nincludes all software changes, releases, maintenance, and              determine whether system software changes       sensitive system utilities on the ACF2\nupgrades. The DECC and SSO technical staffs participate in             on the STANFINS-related mainframe               domains; thus, DISA DECC-St. Louis could\nthe testing; coordinate the scheduling, customer interfaces, and       domains were tracked.                           not review program use violations.\nadministrative changes; implement the revised software suites;\nand provide operational technical support.\n                                                                                                                   \xe2\x80\xa2   Top Secret was not consistently configured\n                                                                                                                       to generate audit logs for all sensitive\nIf the proposed change impacts DISA DECC-St. Louis\n                                                                                                                       utilities; thus, DISA DECC-St. Louis could\ncustomers, a formal synopsis of the change is sent to the\n                                                                                                                       not review program use violations.\ncustomers affected for coordination purposes.\n                                                                   \xe2\x80\xa2   Selected a random sample of changes to      \xe2\x80\xa2   DISA SSO and DISA DECC-St. Louis\nThe REMEDY help desk ticket system tracks any identified\n                                                                       STANFINS system software/DB changes to          lacked change documentation that included\nproblems.\n                                                                       determine whether required documentation        detailed information about the change, such\n                                                                       was present.                                    as test results or impact analysis.\nEmergency system software changes follow the same process\nas any other system software change, only the process is\nexpedited.                                                         \xe2\x80\xa2   Inspected the notification e-mails for\n                                                                       STANFINS changes applied during the         \xe2\x80\xa2   No exceptions noted.\nSSO is responsible for the standardization and optimization of         examination period to determine whether\nthe executive software suites for all DECCs. The Executive             implementation dates for STANFINS were\nSupport Plan documents and delegates these responsibilities to         communicated to personnel implementing\nthe SSO. The support plan states that the SSO will provide             the changes in the TSB.\nthree levels of support: Standard Operating Environment\n(SOE), Centrally Supported Systems (CSS), and Consolidated         \xe2\x80\xa2   Inquired of STANFINS system owners and      \xe2\x80\xa2   DISA did not develop system software\nMaintenance Contract (CMC).                                            System Administrators to determine              change management procedures detailing\n                                                                       whether procedures were developed and           specific DECC roles, responsibilities, and\nDISA DECC-Mechanicsburg employs a change management                    documented for identifying and recording        procedures regarding identification of\nprocess for all software changes/requests called the ESCCB.            and tracking STANFINS-related system            system software problems, testing of\nAn individual making a request for a change to or for new              software problems.                              changes, impact analyses, approvals,\n\n\n\n                                                                               111\n\x0cControl Description                                              Tests of Operating Effectiveness                  Results of Tests of Operating Effectiveness\nsoftware must submit a request via a Web-based form. The                                                              implementation and verification, and\nESCCB board meets on a weekly basis to review the requests                                                            documentation requirements.\nsubmitted over the past week. The policies and procedures of\nthe board set forth the process for submission and approval of   \xe2\x80\xa2   Inspected vendor support agreements to        \xe2\x80\xa2   No exceptions noted.\nchange requests.                                                     determine whether they were current and\n                                                                     provided coverage for computer assets.\nApplicable domains track system software changes.\n                                                                 \xe2\x80\xa2   Inquired of management to determine           \xe2\x80\xa2   The TSB performed the migration of tested\n                                                                     whether tested and approved STANFINS              and approved system software changes;\n                                                                     system software migrated to the production        however, there were no documented policies\n                                                                     environment was performed by an                   requiring migration of system software\n                                                                     independent library control group.                changes into production by an independent\n                                                                                                                       library control group. The same person\n                                                                                                                       could develop/identify the change request,\n                                                                                                                       test the proposed change, and implement the\n                                                                                                                       change.\n\n                                                                 \xe2\x80\xa2   Compared user listings for individuals with   \xe2\x80\xa2   At the DECC Mechanicsburg, two\n                                                                     access to migrate changes into the                individuals listed as authorized users for the\n                                                                     production environment to determine               Software Factory no longer required access.\n                                                                     whether it was commensurate with job\n                                                                     responsibilities.\n\n                                                                 \xe2\x80\xa2   Inquired of DISA DECC-St. Louis TSB           \xe2\x80\xa2   No exceptions noted.\n                                                                     Branch Chief and inspected documentation\n                                                                     system-generated inventories to determine\n                                                                     whether DISA DECC-St. Louis maintained\n                                                                     an inventory of programs on STANFINS-\n                                                                     related mainframe domains.\nDFAS\nSTANFINS currently operates in a \xe2\x80\x9cmaintenance mode,\xe2\x80\x9d which       \xe2\x80\xa2   Inspected supporting authorization and        \xe2\x80\xa2   Documentation of testing and authorizations\nmeans that only emergency maintenance changes are applied.           testing documentation for STANFINS                related to the development and\nEmergency maintenance changes are those software changes             changes applied during the examination            implementation of STANFINS application\nrequired to maintain compliance with applicable Federal              period to determine whether documentation         changes were inconsistently generated and\nstatutes and regulations.                                            was prepared in accordance with DoD               maintained. These inconsistencies included:\n                                                                     Instruction 8500.2.                               \xe2\x80\xa2 SCRs were generally not created if the\nA completed SCR form must accompany STANFINS software                                                                       Change Control Board knew that the\nchanges with the potential exception of changes required to                                                                 request would not be authorized.\n\n\n\n                                                                             112\n\x0cControl Description                                             Tests of Operating Effectiveness                  Results of Tests of Operating Effectiveness\naccommodate interfacing systems. The System Owner must                                                               \xe2\x80\xa2 Change Control Board meetings were\nfill out and approve the SCR before the change is tested and                                                              informal, held as needed, and most\nmigrated to production.                                                                                                   communication regarding proposed\n                                                                                                                          changes was discussed verbally.\nPrior to testing, each SCR requires a documented TCR form to                                                         \xe2\x80\xa2 Of 15 SCRs and TCRs generated\nbe filled out, including a sign-off documenting the STANFINS                                                              October 2, 2002 through October 2004,\nPMO Functional group\xe2\x80\x99s approval. Testing is performed using                                                               only three had e-mail documentation to\nproduction data on a test environment.                                                                                    support the change.\nOnce the TCR is authorized, the PMO Functional group sends\n                                                                                                                  \xe2\x80\xa2   Of 12 FY 2004 SCRs, only three copies of\nan e-mail to TSO regarding the change release. A checklist is\n                                                                                                                      e-mails notifying the DFAS field sites of\nused to determine that all appropriate steps have been taken\n                                                                                                                      changes were maintained.\nprior to ship. DECC is contacted to determine that they are\nready to receive, and have received, the release.               \xe2\x80\xa2   Performed inquiry of the PMO Accountant\n                                                                                                                  \xe2\x80\xa2   STANFINS application changes were\n                                                                    and Lead Specialist to verify the process\n                                                                                                                      manually controlled, migrated, and released\n                                                                    used to document and authorize changes.\n                                                                                                                      from the testing environment; however, the\n                                                                                                                      documentation was not appropriately\n                                                                                                                      maintained. Specifically, there was no\n                                                                                                                      automated version controls (i.e., a program\n                                                                                                                      change version control system) to track\n                                                                                                                      changes to STANFINS.\nControl Activity:\nAccess controls have been placed into operation to restrict application access to authorized personnel.\nDISA\nThe DISA Computing Services Security Handbook details          \xe2\x80\xa2 Inspected policies and procedures on             \xe2\x80\xa2   No exceptions noted.\ngranting access to system resources.                                granting and monitoring access to\n                                                                    STANFINS IT resources.\nUsers at the DISA DECC-St. Louis have access to STANFINS\napplication production files and data as necessary to support  \xe2\x80\xa2 Inquired of DISA DECC-St. Louis Security         \xe2\x80\xa2   No exceptions noted.\nsystem operation and respond to customer requests. DECC             Division Branch Chief to determine the\nusers also have access to the mainframe GSS where the               process for granting access to STANFINS.\napplication resides. The DECC is responsible for creating and\nmaintaining DECC user accounts, as well as DFAS ISSO and\n                                                               \xe2\x80\xa2 Inspected access control procedures to           \xe2\x80\xa2   No exceptions noted.\nTASO accounts at customer sites. The local ISSO/TASO is\n                                                                    determine whether the process for granting,\nresponsible for creating and maintaining user accounts at\n                                                                    monitoring, and removing access to\ncustomer sites.\n                                                                    STANFINS followed Federal (NIST SP\n                                                                    800-26 \xe2\x80\x93 Logical Access) and DoD\nUsers at the DECC (the majority of which are system software\n                                                                    guidance (DoD Instruction 8500.2 \xe2\x80\x93 Remote\n\n\n\n                                                                            113\n\x0cControl Description                                                 Tests of Operating Effectiveness                   Results of Tests of Operating Effectiveness\nmaintenance personnel) requiring access to the mainframe                Access, Access Procedures, Access Control\nenvironment complete a form DD 2875 \xe2\x80\x9cSystem Authorization               Policies, Contractor and Foreign Nationals\nAccess Request\xe2\x80\x9d, used for initial access requests, as well as for       Access, Comprehensive Account\nchanges to an account. An authorized supervisor must sign this          Management, Least Privilege Procedures,\nform, indicating approval of the access. Users must possess a           Classified Data Protection).\nsecurity clearance commensurate with the classification level\nof the system in order to obtain access. Passwords are              \xe2\x80\xa2   Inspected initial authorization                \xe2\x80\xa2   At DISA DECC-St. Louis, we selected 42\ncommunicated to users via secure means, either in person or             documentation for a random sample of               users out of 1441 and requested their user\nvia e-mail, using separate e-mails to transmit user ID and              STANFINS users (at the application and             access request form packets. Out of the\npassword.                                                               network level) to determine completeness           sample of 42 packets:\n                                                                        and existence.                                     \xe2\x80\xa2 One user did not have a completed\nThe RAS server connections provide direct dial-in access to the                                                                access request form;\nnetwork. DECC users requesting remote access must submit\n                                                                                                                           \xe2\x80\xa2 Three individuals had at least one\nan approved form DD 2875. Remote access is granted to users\n                                                                                                                               access request form without a Security\nwith a valid need, which must be approved by a supervisor, to\n                                                                                                                               representative\xe2\x80\x99s signature certifying that\naccess the network remotely. Typically, users are granted\n                                                                                                                               the individual\xe2\x80\x99s background\nremote access in order to respond quickly to emergency\n                                                                                                                               checks/security clearances were\nsituations and resolve problems when not at the DECC facility.\n                                                                                                                               appropriate;\nAfter receiving an approved remote access request, the Security\nDivision staff adds the user to the RAS server.                                                                            \xe2\x80\xa2 Six individuals had at least one access\n                                                                                                                               request form where the user\nThe mainframe access control applications CA-ACF2 and CA-                                                                      acknowledgement portion was not\nTop Secret protect the STANFINS application and the system                                                                     signed.\nsoftware it resides on.                                             \xe2\x80\xa2   Inquired of DISA DECC-St. Louis Security\n                                                                                                                       \xe2\x80\xa2   DISA DECC-St. Louis did not have a\n                                                                        Division Branch Chief regarding policies\nACF2 and Top Secret mainframe security software enforce                                                                    process for recertifying user access to\n                                                                        and procedures for recertifying users access\ndiscretionary access controls. Also, access to shared and                                                                  STANFINS.\n                                                                        in STANFINS.\nnetworked file systems outside the mainframe environment is\ncontrolled through discretionary access controls enforced\n                                                                    \xe2\x80\xa2   Obtained and inspected the ACL for\n                                                                                                                       \xe2\x80\xa2   Two separated out of 11 employees retained\nthrough network access privileges.\n                                                                        STANFINS to determine whether separated\n                                                                                                                           access to one or more of the domains where\n                                                                        employees had access.\nThe UML Standardization memo establishes user ID rules for                                                                 STANFINS resided.\nDECC users. DECC user IDs are configured to identify the\nuser\xe2\x80\x99s department, as well as employment status. Additionally,\nthe OS/390 STIG requires a unique ACF2 or Top Secret user           \xe2\x80\xa2   Inspected the ACL to determine whether\n                                                                                                                       \xe2\x80\xa2   No duplicate accounts were identified. (No\nID for every user.                                                      duplicate accounts existed.\n                                                                                                                           Exception Noted.) However, three accounts\n                                                                                                                           on the Far East domain had no user name\nPasswords are not displayed as a user logs in to the mainframe.                                                            associated with the ACF2 ID (ACID).\nAfter three invalid log-on attempts, ACF2 automatically                                                                    (Exception Noted)\n\n\n\n                                                                                 114\n\x0cControl Description                                               Tests of Operating Effectiveness                  Results of Tests of Operating Effectiveness\nterminates the session. For the Top Secret domains, Top Secret    \xe2\x80\xa2 Inspected an ACL of remote users and\nsuspends the user\xe2\x80\x99s account after two invalid log-on attempts.        inquired of the ISSO to determine whether     \xe2\x80\xa2   Remote access to the DECC mainframes via\n                                                                      the access was limited, documented, and           telnet was not restricted and not secured via\nBefore authentication, a warning banner is displayed that             approved.                                         encryption.\ninforms the user that the system is for authorized use only and\nthat activity will be monitored. The terminal session             \xe2\x80\xa2   Inquired of Security Division Branch Chief    \xe2\x80\xa2   Minimum password length on each of the\nautomatically logs the user off after 15 minutes of inactivity        and Security Administrators and inspected         five ACF2 ASIMS domains and the one Top\nand a screen-lock appears after 15 minutes, which requires the        ACF2 and Top Secret security settings to          Secret ASIMS domain was configured to six\nuser to re-authenticate in order to re-gain access.                   determine whether the security products           characters, while the OS/390 STIG required\n                                                                      were securely configured in accordance with       passwords have a minimum of eight\nInactive accounts are suspended after 35 days of inactivity and       OS/390 STIG guidance to enforce                   characters.\ndeleted after 90 days of inactivity.                                  discretionary access controls.\n                                                                                                                    \xe2\x80\xa2   Users on the Top Secret ASIMS domain\n                                                                                                                        were not required by the system to use a\n                                                                                                                        national character (e.g., $, @, #) when\n                                                                                                                        creating new passwords, as required by the\n                                                                                                                        OS/390 STIG.\n\n                                                                                                                    \xe2\x80\xa2   Users on the ACF2 ASIMS domains were\n                                                                                                                        restricted from using their previous four\n                                                                                                                        passwords; users should be restricted from\n                                                                                                                        using their previous ten passwords as\n                                                                                                                        required by the OS/390 STIG.\n\n                                                                                                                    \xe2\x80\xa2   The Huntsville ASIMS domain had the\n                                                                                                                        JOBCK setting set to NOJOBCK. This\n                                                                                                                        setting did not require ACF2 to verify\n                                                                                                                        whether a user submitting a batch job had\n                                                                                                                        been granted the authority to submit batch\n                                                                                                                        jobs.\n\n\n                                                                                                                    \xe2\x80\xa2   An individual user was assigned to the\n                                                                                                                        Master Central Security Administrator\n                                                                                                                        (MSCA) account on the Top Secret ASIMS\n                                                                                                                        Far East domain. The MSCA designation\n                                                                                                                        allows full system access and is not required\n                                                                                                                        for individual users.\n\n\n\n                                                                              115\n\x0cControl Description   Tests of Operating Effectiveness                   Results of Tests of Operating Effectiveness\n\n                                                                         \xe2\x80\xa2   26 DECC ACF2 accounts on the ASIMS\n                                                                             domains had passwords that did not expire\n                                                                             (MAXDAYS not specified). 147 DECC\n                                                                             Top Secret accounts on the Far East ASIMS\n                                                                             domains had passwords that did not expire\n                                                                             (Password Interval = 0).\n\n                                                                         \xe2\x80\xa2   DISA DECC St. Louis users had \xe2\x80\x9cWrite\xe2\x80\x9d or\n                                                                             \xe2\x80\x9cAllocate\xe2\x80\x9d access to STANFINS production\n                                                                             application datasets on two of five ACF2\n                                                                             ASIMS domains and the Top Secret ASIMS\n                                                                             Far East domain.\n\n                      \xe2\x80\xa2   Inspected the UML Standardization memo\n                          to determine whether naming conventions        \xe2\x80\xa2   No exceptions noted.\n                          were established for DECC users.\n\n                      \xe2\x80\xa2   Inquired of Security Division Branch Chief\n                          and system administrators to determine         \xe2\x80\xa2   No exceptions noted.\n                          security procedures for logging on and using\n                          the network. Inspected GSS (mainframe)\n                          policies and procedures to determine\n                          whether security procedures were\n                          documented.\n\n                      \xe2\x80\xa2   Inquired of Security Division Branch Chief\n                          and inspected procedures to determine          \xe2\x80\xa2   542 out of 1392 user accounts across the six\n                          whether inactive mainframe users\xe2\x80\x99 accounts         STANFINS-related ASIMS domains were\n                          were monitored and removed when not                inactive for over 180 days or had never been\n                          needed. Inspected the Top Secret and ACF2          used.\n                          STANFINS-related domain ACLs to\n                          determine whether inactive DECC user IDs\n                          were present within the domains.\n\n                      \xe2\x80\xa2   Observed an individual user sign on to the\n                          mainframe to determine whether the             \xe2\x80\xa2   No exceptions noted.\n                          opening screen provided a warning banner\n\n\n\n                                  116\n\x0cControl Description                                                 Tests of Operating Effectiveness                    Results of Tests of Operating Effectiveness\n                                                                        that stated the system was for authorized use\n                                                                        only and that activity was monitored.\n\n                                                                    \xe2\x80\xa2   Observed a PC terminal to determine\n                                                                        whether automatic log-off occurred after a      \xe2\x80\xa2   No exceptions noted.\n                                                                        preset number of minutes of inactivity.\n\n\n\nDFAS\nThe Procedures for ASIMS Access Controls details policies on        \xe2\x80\xa2   Inspected DFAS policies and procedures to       \xe2\x80\xa2   Of the four DFAS sites, DFAS-Indianapolis\nsecurity access responsibilities and the process to grant user          determine whether guidance was established          (PMO and TSO), DFAS-Pacific, DFAS-\naccess to STANFINS. DFAS uses user access forms to                      to outline ELAN administrator security              Japan and DFAS-Rome stated that there was\ndocument the establishment, modification, deletion, or                  responsibilities.                                   no DFAS service-wide policy or guidance\nsuspension of access to STANFINS IT resources, to include the                                                               document outlining local ELAN\nSTANFINS application, as well as the ELAN, which DFAS                                                                       administrator security responsibilities versus\nadministrative and field sites use to gain access to STANFINS.                                                              those of centralized groups responsible for\n                                                                                                                            the administration/ monitoring of DFAS-\nTo set up ELAN access, the ELAN administrator, prior to                                                                     wide network security.\nestablishing a network user ID and password, must approve the\nform via signature. For some sites, a separate security group       \xe2\x80\xa2   Inspected access control procedures to          \xe2\x80\xa2   During testing, DFAS field sites were\napproves the form via signature.                                        determine whether the process for granting,         unable to generate STANFINS and TAPS\n                                                                        monitoring, and removing access to                  user access lists directly from the security\nUsers must have a TAPS account to access the STANFINS                   STANFINS and GSS followed Federal                   system. As a result, of the ten DFAS field\napplication. The local TASO/ISSO is responsible for security            (NIST SP 800-26 \xe2\x80\x93 Logical Access) and               sites, DFAS-Rome, DFAS-Denver, DFAS-\nadministration, including the assignment of TAPS accounts.              DoD guidance (DoD Instruction 8500.2 \xe2\x80\x93              San Antonio, DFAS-Lawton, DFAS-\nThe ISSO creates user accounts for TAPS/STANFINS through                Remote Access, Access Procedures, Access            Columbus, DFAS-Indianapolis and DFAS-\na tool called VASS. For the majority of DFAS field sites,               Control Policies, Contractor and Foreign            Pacific and DFAS-Seaside could not:\nMicrosoft Excel spreadsheet, Access database, or other manual           Nationals Access, Comprehensive Account             \xe2\x80\xa2 Identify all TAPS modes (access\nmeans of tracking are used to identify STANFINS/TAPS users,             Management, Least Privilege Procedures,                  privileges) assigned to users;\nTAPS mode profiles, and assigned TAPS modes. At DFAS-\nOrlando and DFAS-Japan, TASOs/ISSOs generate ACF2-\n                                                                        Classified Data Protection).                        \xe2\x80\xa2 Determine whether users had\nnative listings in order to identify and track access to TAPS and                                                                inappropriate access to TAPS modes,\nSTANFINS.                                                                                                                        based on job responsibilities; and\n                                                                                                                            \xe2\x80\xa2 Determine whether manually derived\nThe DFAS ISSP provides guidance in conducting monthly                                                                            and maintained access control lists\nrecertifications of STANFINS and ELAN accounts. The ISSO                                                                         accurately reflected the user population.\nis responsible for providing each supervisor with a STANFINS\nuser listing of access levels, and it is the supervisor\xe2\x80\x99s\n\n\n\n                                                                                 117\n\x0cControl Description                                                  Tests of Operating Effectiveness                 Results of Tests of Operating Effectiveness\nresponsibility to validate and authorize user access.                \xe2\x80\xa2 Inspected access forms for a random sample     \xe2\x80\xa2 Of the ten DFAS field sites, nine field sites\n                                                                         of STANFINS access (at the application and      (DFAS-Rome, DFAS-Denver, DFAS-\nRemote network access via a DISP account is granted to a user            network level) to determine whether             Lawton, DFAS-San Antonio, DFAS-\nbased on valid need and supervisory approval.                            management authorized access.                   Columbus, DFAS-Seaside, DFAS-\n                                                                                                                         Indianapolis, DFAS-Pacific and DFAS-\nSTANFINS application password and user ID rules are                                                                      Japan) either used locally developed or had\nconfigured in the security system software maintained by                                                                 not documented procedures for granting,\nDISA.                                                                                                                    approving, monitoring, recertifying, and\n                                                                                                                         removing user access to STANFINS and the\nDFAS ELAN procedures include requirements that guide                                                                     ELAN.\nELAN administrators in the conduct of network security\nadministration.                                                                                                       \xe2\x80\xa2   Six of ten DFAS user sites did not have\n                                                                                                                          complete or existing authorizations for\nDuring log-in to the ELAN, there is a banner warning users that                                                           STANFINS users as follows:\nthey are about to log on to a government workstation and that                                                             DFAS-Denver:\ntheir use will be monitored. This banner automatically appears\n                                                                                                                          \xe2\x80\xa2 18 STANFINS user access forms did\nevery time a user accesses any DFAS workstation connected to\n                                                                                                                              not have an ELAN Account Request\nELAN.\n                                                                                                                              Form on file.\n                                                                                                                          DFAS-Pacific:\nELAN workstations are CAC-configured, which means that an\nindividual must insert a valid CAC card into a reader slot that is                                                        \xe2\x80\xa2 Justification for STANFINS user access\nconnected to the workstation to log in to the network. When                                                                   was pre-populated on user access forms\nthe individual leaves the workstation, he or she must remove                                                                  by the TASOs and may not support\nthe CAC card from the reader slot, which automatically locks                                                                  actual needs.\nthe workstation and prevents anyone else from accessing it.                                                               \xe2\x80\xa2 The functional data owner\xe2\x80\x99s signature\n                                                                                                                              was missing from TAPS user request\n                                                                                                                              forms on two of the eight forms\n                                                                                                                              inspected.\n                                                                                                                          DFAS-Japan:\n                                                                                                                          \xe2\x80\xa2 Four out of 31 ELAN access request\n                                                                                                                              forms that users filled out in 1998 did\n                                                                                                                              not have an approval (signature).\n                                                                                                                          \xe2\x80\xa2 Two external ELAN users had not\n                                                                                                                              signed user agreements.\n                                                                                                                          \xe2\x80\xa2 Seven out of 53 DD 2875/DISA 41\n                                                                                                                              forms did not contain a business case\n                                                                                                                              for the access request.\n                                                                                                                          \xe2\x80\xa2 One out of 53 DD 2875/DISA 41 forms\n                                                                                                                              did not contain a business case that\n\n\n                                                                                 118\n\x0cControl Description   Tests of Operating Effectiveness   Results of Tests of Operating Effectiveness\n                                                                 adequately explained the reasoning for\n                                                                 the access request.\n                                                            \xe2\x80\xa2 One out of 26 DISP User Access\n                                                                 Request forms could not be found.\n                                                            \xe2\x80\xa2 Two out of 26 user access forms were\n                                                                 not signed by the TASO.\n                                                            \xe2\x80\xa2 One out of 26 user access forms did not\n                                                                 contain a supervisor signature or a\n                                                                 business case justification.\n                                                            DFAS-Rome:\n                                                            \xe2\x80\xa2 Three out of 30 user access forms did\n                                                                 not have authorization documentation\n                                                                 available.\n                                                            \xe2\x80\xa2 11 of 29 users with DISP accounts did\n                                                                 not have a DISP user access request\n                                                                 form with the appropriate approvals\n                                                                 and/or justification. Two of these users\n                                                                 had STANFINS accounts.\n                                                            DFAS-San Antonio:\n                                                            \xe2\x80\xa2 32 out of 41 LAN user access forms did\n                                                                 not have an access request form on file.\n                                                            DFAS-Seaside:\n                                                            \xe2\x80\xa2 68 of 72 access request forms did not\n                                                                 include an adequate business\n                                                                 reason/justification for the access\n                                                                 requested.\n                                                            \xe2\x80\xa2 46 of 72 access request forms had a pre-\n                                                                 populated response that included the\n                                                                 type of access the user needed, but did\n                                                                 not justify the access.\n                                                            \xe2\x80\xa2 Three out of 31 internal LAN user\n                                                                 access forms did not have the functional\n                                                                 data owner\xe2\x80\x99s signature.\n                                                            \xe2\x80\xa2 14 of 31 internal LAN user access\n                                                                 forms did not have the original user\n                                                                 access request form used to create their\n                                                                 account.\n\n\n\n                                  119\n\x0cControl Description                                            Tests of Operating Effectiveness                  Results of Tests of Operating Effectiveness\n                                                                                                                    \xe2\x80\xa2 Four of 31 internal users\xe2\x80\x99 access request\n                                                                                                                         forms were not signed by the\n                                                                                                                         information security officer.\n                                                                                                                    \xe2\x80\xa2 There was no evidence of LAN access\n                                                                                                                         request forms or DISP user access\n                                                                                                                         request forms being used prior to\n                                                                                                                         February 10, 2005.\n\n                                                               \xe2\x80\xa2   Inquired of DFAS field site ISSOs/TASOs       \xe2\x80\xa2   DFAS field sites did not have the technical\n                                                                   to determine whether DFAS periodically            knowledge to generate STANFINS and\n                                                                   recertified user access levels.                   TAPS user access lists directly from the\n                                                                                                                     security system. At eight out of ten DFAS\n                                                                                                                     field sites (DFAS-Rome, DFAS-Denver,\n                                                                                                                     DFAS-Lawton, DFAS-San Antonio, DFAS-\n                                                                                                                     Columbus, DFAS-Seaside, DFAS-\n                                                                                                                     Indianapolis and DFAS-Pacific), the\n                                                                                                                     ISSOs/TASOs could not determine whether\n                                                                                                                     manually derived and maintained access\n                                                                                                                     control lists accurately reflected the user\n                                                                                                                     population, and therefore could not\n                                                                                                                     accurately perform user recertifications.\n\n                                                               \xe2\x80\xa2   Inquired of DFAS ISSOs/TASOs, as well as      \xe2\x80\xa2   At DFAS-Columbus, DFAS-Japan, DFAS-\n                                                                   DFAS field site supervisors, and inspected        Lawton, DFAS-San Antonio, DFAS-Pacific,\n                                                                   user access listings to TAPS/STANFINS to          DFAS-Rome and DFAS-Seaside, users had\n                                                                   determine whether user access was                 access that was not required by their job\n                                                                   commensurate with job responsibilities.           responsibilities.\n\n\n\n                                                               \xe2\x80\xa2   Observed an individual user sign on to the    \xe2\x80\xa2   No exceptions noted.\n                                                                   network to note whether the opening screen\n                                                                   provided a warning banner that stated the\n                                                                   system was for authorized use only and that\n                                                                   activity was monitored.\nControl Activity:\nIntegrity verification programs are used by applications to look for evidence of data tampering, errors, and omissions.\nDFAS\n\n\n\n                                                                           120\n\x0cControl Description                                               Tests of Operating Effectiveness                  Results of Tests of Operating Effectiveness\nSTANFINS uses a batch control method, called \xe2\x80\x9cblocking,\xe2\x80\x9d to       \xe2\x80\xa2 Observed STANFINS batch processing to           \xe2\x80\xa2 No exceptions noted.\ndetermine whether control totals equal the sum of the details.        note whether a block total entered that\nDuring the daily production processing cycle, STANFINS                didn\xe2\x80\x99t match the detailed transactions\nperforms batch edits for manually entered transactions and            caused a suspended transaction. Inspected\ntransactions received through automated file loads.                   documentation to verify that these\n                                                                      suspended transactions were recorded in the\nManual Input                                                          AVK018 report.\nTransactions manually entered through TAPS are subject to\nedits applied to automated transactions submitted for\nprocessing during the batch processing cycle.\n\nAutomated File Load\nTransaction files may also be loaded via FTP. Similar to the\nTAPS edits, batch edits in STANFINS include the block totals.\nIf a block total is not included in the FTP file, STANFINS will\ngenerate a block and then require a user to \xe2\x80\x9caccept\xe2\x80\x9d the block\ntotal in TAPS. The newly generated block will be reported on\nthe Daily Preliminary Balance Report (AVK018).\n\nTransaction blocks identified as exceptions by batch edits are\nsuspended and reported on the Daily Preliminary Balance\nReport (AVK018). Accounting Technicians review the\nAVK018 and clear erred transactions from the suspense file by\nsubmitting a correcting transaction, called a correction card, via\nTAPS. Items remain in suspense (and on the AVK018) until\ncorrected. Blocks that do pass STANFINS batch edits are\nreported at a summary level by block in the AVK018.\nControl Activity:\nReconciliation routines are used by applications, e.g., checksums, hash totals, record counts to promote data accuracy.\nDFAS\nSTANFINS uses a batch control method, called \xe2\x80\x9cblocking,\xe2\x80\x9d to        \xe2\x80\xa2 Observed STANFINS batch processing to       \xe2\x80\xa2 No exceptions noted.\ndetermine whether control totals equal the sum of the details.       note whether a block total entered that\nDuring the daily production processing cycle, STANFINS               didn\xe2\x80\x99t match the detailed transactions\nperforms batch edits for manually entered transactions and           caused a suspended transaction. Inspected\ntransactions received through automated file loads.                  documentation to verify that these\n                                                                     suspended transactions were recorded in the\n                                                                     AVK018 report.\nManual Input\nTransactions manually entered through TAPS are subject to\n\n\n\n                                                                              121\n\x0cControl Description                                                  Tests of Operating Effectiveness   Results of Tests of Operating Effectiveness\nedits applied to automated transactions submitted for\nprocessing during the batch processing cycle.\n\nAutomated File Load\nTransaction files may also be loaded via FTP. Similar to the\nTAPS edits, batch edits in STANFINS include the block totals.\nIf a block total is not included in the FTP file, STANFINS will\ngenerate a block and then require a user to \xe2\x80\x9caccept\xe2\x80\x9d the block\ntotal in TAPS. The newly generated block will be reported on\nthe Daily Preliminary Balance Report (AVK018).\n\nTransaction blocks identified as exceptions by batch edits are\nsuspended and reported on the Daily Preliminary Balance\nReport (AVK018). Accounting Technicians review the\nAVK018 and clear erred transactions from the suspense file by\nsubmitting a correcting transaction, called a correction card, via\nTAPS. Items remain in suspense (and on the AVK018) until\ncorrected. Blocks that do pass STANFINS batch edits are\nreported at a summary level by block in the AVK018.\n\n\n\n\n                                                                                 122\n\x0cSection IV: Supplemental Information Provided by DFAS and DISA\n\n\n\n\n                             123\n\x0c124\n\x0cSection IV: Supplemental Information Provided by DFAS and DISA\nA. CONTINUITY OF OPERATIONS PLANNING\n\nContinuity of Operations Plan\n\nIn a consolidated effort, DFAS and DISA developed a COOP. The COOP possessed the following key\ncharacteristics:\n\n\xe2\x80\xa2   Reflective of current conditions;\n\xe2\x80\xa2   Approved by key affected groups including senior management, Data Center management, and\n    program managers;\n\xe2\x80\xa2   Clearly assigns responsibilities for recovery;\n\xe2\x80\xa2   Includes detailed instructions for restoring operations (both operating systems and critical\n    applications);\n\xe2\x80\xa2   Identifies the alternate processing facility and the backup storage facility;\n\xe2\x80\xa2   Includes procedures to follow when the DECC-St. Louis Data Center is unable to receive or transmit\n    data;\n\xe2\x80\xa2   Identifies critical data files;\n\xe2\x80\xa2   Is detailed enough to be understood by all DFAS system managers;\n\xe2\x80\xa2   Includes computer and telecommunications hardware compatible with the required system needs; and\n\xe2\x80\xa2   Has been distributed to all appropriate personnel.\n\nThe COOP provided for backup personnel so that it can be implemented independent of specific\nindividuals. Arrangements were planned for travel and lodging of necessary personnel, if needed. All\ncomputer room employees received training on emergency roles and responsibilities. Computer room\nstaff received periodic training in emergency, fire, water, and alarm incident procedures. Emergency\nresponse procedures were also documented and periodically tested.\n\nContracts or interagency support agreements were established for a backup data center and other needed\nfacilities that:\n\n\xe2\x80\xa2   Were in a state of readiness commensurate with the risk of interrupted operations;\n\xe2\x80\xa2   Had sufficient processing capability; and\n\xe2\x80\xa2   Were likely to be available for use.\n\nAlternate telecommunication services were arranged in the event a disaster rendered the current\ninfrastructure unusable.\n\nThe contingency plan was periodically reassessed and, if appropriate, revised to reflect changes in\nhardware, software, and personnel. The COOP in the STANFINS SSAA was last updated in December\n2003. The DISA DECC COOP was updated to include a Lessons Learned section with results of the\nlatest COOP testing in March 2004. Several copies of the contingency plan were securely stored off-site\nat different locations.\n\n\n\n\n                                                   125\n\x0cCOOP Testing (DISA DECC)\n\nThe COOP was tested under conditions that simulated DISA DECC-St. Louis\xe2\x80\x99s inability to process critical\napplications for DFAS. Assumptions were that voice communication, data communication, and public utility\nservices were disabled, the building was not inhabitable, and the processing outage would continue for an\nextended period of time. DFAS and DISA coordinated efforts to conduct annual disaster recovery tests.\nDivision representatives participated in the tests and were involved in the development of test plans for\nDFAS systems. Test results were reported to systems managers in writing and the COOP updated to\ninclude short- and long-term solutions to problems identified. Additionally, test results were analyzed,\nand COOP test plans (including test scenarios and test results) were updated after each test. The COOP\nwas also reviewed and updated as necessary.\n\nThe most recent disaster recovery test was performed March 8 through March 26, 2004 and included the\nSTANFINS application and underlying GSS. The purpose of the exercise was to test the DECC-St. Louis\nCOOP restoration of all DFAS-Indianapolis and Kansas City critical applications to validate the transfer\nand processing of data at an alternate location.\n\nThe COOP test was successful with the exception of the timeliness of backups. The March 2004 test and\nfull restoration took 124.25 hours versus the 72-hour requirement stated in the STANFINS management\nand DISA SLA. DISA was taking action to meet the established timeframes.\n\n\n\n\n                                                  126\n\x0cAcronyms and Abbreviations\nABEND       Abnormal Ending\nAC          Access Control\nACF2        Access Control Facility 2\nACL         Access Control Listing\nAVK018      Daily Preliminary Balance Report\nAVK087      STANFINS General Fund and Inquiry Report\nAN          Authorization\nAPC         Account Processing Code\nASIMS       Army Standard Information Management System\nAY          Accuracy\nBCL         Block Control Log\nC&A         Certification & Accreditation\nCAC         Common Access Card\nCC          Change Control\nCDOIM       Centralized Directorate for Information Management\nCICS        Customer Information Control System\nCOOP        Continuity of Operations Plan/Business Continuity Plan\nCP          Completeness\nCSOD        Computing Services Operations Division\nDARPA       Defense Advanced Research Projects Agency\nDARS        Databased Accounting Reconciliation System\nDeCA        Defense Commissary Agency\nDECC        Defense Enterprise Computing Center\nDFAS        Defense Finance and Accounting Service\nDISA        Defense Information Systems Agency\nDISP        Defense Internet Service Provider\nDITSCAP     Defense Information Technology Security Certification and Accreditation Process\nDNO         Directorate for Network Operations\nELAN        Enterprise Local Area Network\nESCCB       Executive Software Configuration Control Board\nFMFIA       Federal Managers\xe2\x80\x99 Financial Integrity Act\nFTP         File Transfer Protocol\nGSS         General Support System\nIA          Information Assurance\nIN          Integrity\nISO         Information Services Organization\nISSM        Information Systems Security Manager\nISSO        Information Systems Security Officer\nISSP        Information System Security Plan\nIT          Information Technology\nLAN         local area network\n\n\n                                          127\n\x0cLPARs      Logical Partitions\nMAC        Mission Assurance Category\nNIPRNET    non-classified Internet Protocol Router Network\nNIST       National Institute of Standards and Technology\nNSO        Network Security Officer\nNULO       Negative Unliquidated Obligation\nOMB        Office of Management and Budget\nPIN        Personal Identification Number\nPMO        Program Management Office\nRACF       Resource Access Control Facility\nRAS        Remote Access Service\nSAS        Statement on Auditing Standards\nSC         Service Continuity\nSCR        System Change Request\nSP         Security Program\nSRR        Security Readiness Review\nSS         System Software\nSSAA       System Security Authorization Agreement\nSSO        System Support Office\nSTANFINS   Standard Finance System\nSTIG       Security Technical Implementation Guide\nTAPS       Terminal Application Processing System\nTASO       Terminal Area Security Officer\nTCR        Test Condition Requirements\nTSB        Technical Support Branch\nTSO        Technical Services Organization\n\n\n\n\n                                          128\n\x0cReport Distribution\n\nOffice of the Secretary of Defense\n\nUnder Secretary of Defense (Comptroller)/Chief Financial Officer\n   Deputy Chief Financial Officer\n   Deputy Comptroller (Program/Budget)\nDirector, Program Analysis and Evaluation\n\nDepartment of the Army\n\nInspector General, Department of the Army\nArmy Audit Agency\n\nDepartment of the Navy\n\nAuditor General, Department of the Navy\n\nDepartment of the Air Force\n\nAssistant Secretary of the Air Force (Financial Management and Comptroller)\nAuditor General, Department of the Air Force\n\nCombatant Command\n\nInspector General, U.S. Joint Forces Command\n\nOther Defense Organizations\n\nDefense Finance and Accounting Service\nInspector General, Defense Information Systems Agency\n\nNon-Defense Federal Organizations and Individuals\n\nOffice of Management and Budget\nGovernment Accountability Office\n\nCongressional Committees and Subcommittees, Chairman and Ranking Minority Members\n\nSenate Committee on Appropriations\nSenate Subcommittee on Defense, Committee on Appropriations\nSenate Committee on Armed Services\nSenate Committee on Governmental Affairs\nHouse Committee on Appropriations\nHouse Subcommittee on Defense, Committee on Appropriations\nHouse Committee on Armed Services\nHouse Committee on Government Reform\n\n\n\n                                                 129\n\x0cHouse Subcommittee on Government Efficiency and Financial Management, Committee on Government\n  Reform\nHouse Subcommittee on National Security, Emerging Threats, and International Relations, Committee on\n  Government Reform\nHouse Subcommittee on Technology, Information Policy, Intergovernmental Relations, and the Census,\n  Committee on Government Reform\n\n\n\n\n                                                130\n\x0c\x0c'